CRITICAL CloudTrail · CIS 3.3

CloudTrail S3 bucket public access

Check ID: aws-ct-003

AWS-CT-003 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if S3 buckets used by CloudTrail have all public access block settings enabled.

Why it matters

CloudTrail logs contain a complete record of every API call in your account, including resource names, IAM identities, source IP addresses, request parameters, and account structure. If the audit log bucket is publicly accessible, attackers gain a detailed map of your entire AWS environment without even needing AWS credentials. They can identify high-value targets, understand your IAM structure, discover resource names for targeted attacks, and determine which security services are (or are not) enabled. In 2019, a Dow Jones subsidiary exposed CloudTrail logs through a public S3 bucket, revealing their complete AWS infrastructure topology. This is a critical finding because it undermines the security of every other control.

Common causes

CloudTrail S3 buckets become public when teams modify bucket policies to troubleshoot log delivery issues and accidentally remove the public access blocks. Organizations using legacy bucket ACLs may have inherited public read permissions from older S3 access patterns. Some teams create the audit bucket manually instead of using CloudFormation or Terraform, skipping the public access block configuration step.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws s3api put-public-access-block --bucket BUCKET_NAME --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

Remediation: Terraform

resource "aws_s3_bucket_public_access_block" "cloudtrail" {
  bucket                  = aws_s3_bucket.cloudtrail.id
  block_public_acls       = true
  ignore_public_acls      = true
  block_public_policy     = true
  restrict_public_buckets = true
}

Compliance mapping

This check maps to CIS 3.3 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related CloudTrail checks

CRITICAL aws-ct-001

CloudTrail enabled

HIGH aws-ct-002

CloudTrail log validation

← All checks