Skip to main content
All CollectionsMonitoringTests
Test 226: AWS S3 Object-Level Logging for Read & Write Events
Test 226: AWS S3 Object-Level Logging for Read & Write Events

Drata validates that object-level logging for read and write events is enabled for AWS S3 buckets.

Updated over a month ago

Drata validates that object-level logging for read and write events is enabled for AWS S3 buckets. S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.

Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.

ASSOCIATED DRATA CONTROL

This test is part of the Audit Logging control (DCF-406) that ensures audit logs are enabled and active for all system components and sensitive data in accordance with company policies.

WHAT TO DO IF A TEST FAILS

If Drata finds that object-level logging for read and write events is not enabled for AWS S3 buckets, the test will fail.

STEPS TO REMEDIATE

  1. From the AWS S3 dashboard, select an S3 bucket and click on 'Properties'.

  2. In the AWS Cloud Trail data events' section, select the CloudTrail name for the recording activity.

  3. You can choose an existing Cloudtrail or create a new one.

  4. Once the Cloudtrail is selected, select the data 'Data Events' checkbox.

  5. Select S3 from the 'Data Event Type' drop down and select 'Log All Events' from the log selector template drop down.

Center for Internet Security (CIS)

This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.


Did this answer your question?