MEDIUM CloudTrail · CIS 3.9

S3 object-level read logging

Check ID: aws-ct-007

AWS-CT-007 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if CloudTrail is configured to log S3 object-level read events (GetObject). Without this, unauthorized access to S3 data cannot be detected.

Why it matters

S3 read logging captures every GetObject call, which is essential for detecting data exfiltration. During the Capital One breach (2019), the attacker used stolen SSRF credentials to read millions of credit application records from S3. Without read-level logging, the breach scope and timeline would have been impossible to reconstruct. Object-level read logging is also required to meet data access auditing requirements under GDPR (right to know who accessed personal data), HIPAA (access logs for PHI), and PCI-DSS (tracking access to cardholder data). For cost management, consider enabling read logging only on buckets containing sensitive data like PII, credentials, or financial records.

Common causes

S3 read events generate the highest volume of any data event type because they capture every object download, presigned URL access, and SDK GetObject call. Teams disable read logging first when CloudTrail costs spike, without realizing they are losing visibility into data exfiltration. CloudTrail event selectors default to management events only, and the distinction between ReadOnly and WriteOnly data events is not intuitive.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws cloudtrail put-event-selectors --trail-name main-trail --event-selectors '[{"ReadWriteType":"ReadOnly","DataResources":[{"Type":"AWS::S3::Object","Values":["arn:aws:s3"]}]}]'

Remediation: Terraform

resource "aws_cloudtrail" "main" {
  # ...
  event_selector {
    read_write_type           = "ReadOnly"
    include_management_events = true
    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3"]
    }
  }
}

Compliance mapping

This check maps to CIS 3.9 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related CloudTrail checks

CRITICAL aws-ct-001

CloudTrail enabled

HIGH aws-ct-002

CloudTrail log validation

CRITICAL aws-ct-003

CloudTrail S3 bucket public access

← All checks