MEDIUM CloudTrail · CIS 3.8

S3 object-level write logging

Check ID: aws-ct-006

AWS-CT-006 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if CloudTrail is configured to log S3 object-level write events (PutObject, DeleteObject, etc.). Without this, unauthorized modifications to S3 data cannot be detected.

Why it matters

By default, CloudTrail only logs management events (API calls like CreateBucket) but not data events (PutObject, DeleteObject). Without S3 write logging, you cannot detect when an attacker uploads malware to a public bucket, modifies configuration files stored in S3, or deletes backup data. The 2022 Uber breach involved attackers accessing S3 buckets containing sensitive data, and without object-level logging the full scope of data tampering would have been invisible. S3 data events are also essential for detecting ransomware patterns where attackers encrypt objects in place. Note that enabling S3 data events significantly increases CloudTrail costs, so consider targeting specific high-value buckets rather than all buckets.

Common causes

S3 data events are disabled by default because they generate high log volume and increase CloudTrail costs significantly. Teams enable CloudTrail and assume all S3 activity is logged without realizing the management-vs-data event distinction. Cost optimization reviews sometimes disable data events across all buckets without evaluating which buckets contain sensitive data.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws cloudtrail put-event-selectors --trail-name main-trail --event-selectors '[{"ReadWriteType":"WriteOnly","DataResources":[{"Type":"AWS::S3::Object","Values":["arn:aws:s3"]}]}]'

Remediation: Terraform

resource "aws_cloudtrail" "main" {
  # ...
  event_selector {
    read_write_type           = "WriteOnly"
    include_management_events = true
    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3"]
    }
  }
}

Compliance mapping

This check maps to CIS 3.8 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related CloudTrail checks

CRITICAL aws-ct-001

CloudTrail enabled

HIGH aws-ct-002

CloudTrail log validation

CRITICAL aws-ct-003

CloudTrail S3 bucket public access

← All checks