S3 access logging

AWS-S3-005 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if S3 buckets have server access logging enabled to track requests.

Why it matters

Without server access logging, you have zero visibility into who is accessing your bucket data, when, and from where. This makes it impossible to detect unauthorized access patterns, investigate security incidents, or prove compliance with data access audit requirements. In the 2022 Samsung S3 breach, the lack of access logs delayed incident response by weeks because investigators could not determine what data was accessed. S3 access logs capture the requester identity, request time, action taken, response status, and error codes. For sensitive data buckets, combining S3 access logging with CloudTrail S3 data events provides comprehensive coverage - access logs for HTTP-level details and CloudTrail for API-level audit.

Common causes

Access logging is skipped because it requires creating a separate target bucket and configuring permissions, adding friction to the bucket creation process. Teams using CloudTrail S3 data events assume they have sufficient logging coverage and do not realize server access logs provide HTTP-level details that CloudTrail does not capture. Automated bucket provisioning templates often omit logging configuration to keep the module simple.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws s3api put-bucket-logging --bucket BUCKET_NAME --bucket-logging-status '{"LoggingEnabled":{"TargetBucket":"BUCKET_NAME-logs","TargetPrefix":"access-logs/"}}'

Remediation: Terraform

resource "aws_s3_bucket_logging" "bucket" {
  bucket        = "bucket-name"
  target_bucket = "bucket-name-logs"
  target_prefix = "access-logs/"
}