HIGH CloudTrail · CIS 3.4

CloudTrail S3 bucket access logging

Check ID: aws-ct-004

AWS-CT-004 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if the S3 bucket used by CloudTrail has server access logging enabled. Without access logging, unauthorized access to CloudTrail log files cannot be detected.

Why it matters

CloudTrail logs are the primary forensic evidence during an incident investigation. If an attacker gains access to the CloudTrail S3 bucket, they can delete or modify logs to erase their tracks. Without S3 access logging on the CloudTrail bucket, you have no way to know who accessed, downloaded, or deleted log files. In the 2019 Capital One breach, investigators relied heavily on CloudTrail log integrity to reconstruct the attack timeline. S3 access logs serve as a secondary audit trail that persists even if the primary CloudTrail logs are tampered with, providing the chain of custody required by SOC 2, PCI-DSS, and HIPAA compliance frameworks.

Common causes

S3 access logging is disabled by default and requires a separate target bucket, which adds infrastructure complexity that teams skip during initial CloudTrail setup. Many Terraform templates and CloudFormation quick-starts provision the CloudTrail bucket but omit the access logging configuration. In cost-conscious environments, teams disable access logging to avoid the additional storage costs without realizing the forensic implications.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create a logging bucket first (if needed):
aws s3api create-bucket --bucket CLOUDTRAIL-BUCKET-access-logs --region us-east-1
# Enable access logging:
aws s3api put-bucket-logging --bucket CLOUDTRAIL-BUCKET --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "CLOUDTRAIL-BUCKET-access-logs", "TargetPrefix": "access-logs/"}}'

Remediation: Terraform

resource "aws_s3_bucket_logging" "cloudtrail" {
  bucket        = aws_s3_bucket.cloudtrail.id
  target_bucket = aws_s3_bucket.access_logs.id
  target_prefix = "access-logs/"
}

Compliance mapping

This check maps to CIS 3.4 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related CloudTrail checks

CRITICAL aws-ct-001

CloudTrail enabled

HIGH aws-ct-002

CloudTrail log validation

CRITICAL aws-ct-003

CloudTrail S3 bucket public access

← All checks