Home Exposed S3 bucket CloudTrail logs — Another way to compromise security

Exposed S3 bucket CloudTrail logs — Another way to compromise security

-

Why security of S3 bucket is a must?

In the configuration of CloudTrail and CloudWatch, you need an S3 bucket to store all your logs and metrics. The default configuration of the S3 bucket is private and can only be accessed by the users having permission to access. And in most of the cases, a broad range of public access to read your files is not required unless you are using S3 bucket to host public assets.

You can use S3 bucket ACLs (Access Control Lists) and IAM user policies to restrict the access to your bucket. While setting up ACL for an organization where a lot of IAM users present and most common mistake can be giving unintended access to certain IAM users. Or using an overly permissive and insecure set of permissions can also provide access to any malicious user to access your AWS S3 buckets which increase the risk of misuse of data.

Ensure that your S3 bucket CloudTrails are not public

Like any other service, you can configure CloudTrail and CloudWatch for your S3 bucket. With the help of these two services, you can check the records that are recorded in the trail. And you will also be able to view, search and download recent activities in your S3 buckets like a bank account statement. Configuring trail in CloudWatch notifies you every time when somebody accesses your S3 bucket.

The risk level of getting publicly accessible bucket breached is high. To determine that your AWS account and all your logs are secure, Centilytics ensures that you have created an alarm for your S3 bucket CloudTrail logs. Centilytics checks and reminds you about the alarms if they are not created for your publicly accessible S3 bucket CloudTrail logs.

Insight Description:

OK
 Ok:  S3 bucket CloudTrail logs are not publicly accessible.
Critical
 Critical:  S3 bucket CloudTrail logs are publicly accessible.

 

Description of further columns are as follows:

Account Id: Shows the respective account ID of the user’s account.

Exposed S3 bucket CloudTrail logs Account ID

Account Name: Shows the account name corresponding to the user’s account.

Exposed S3 bucket CloudTrail logs Account Name

Region: This column shows the region of your instance where it has been used.

Exposed S3 bucket CloudTrail logs region

Bucket Name: This column shows the name of the buckets by which they get stored.

Exposed S3 bucket CloudTrail logs Bucket Name

 Filters Applicable:

Filter Name Description
Account Id Applying account Id filter will display all the resources for the selected account Id.
Region Applying the region filter will display all the resources corresponding to the selected region.
Severity Applying severity filter will display resources according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production).

Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.

Compliance You can further refine your security and health checks compliance-wise.

Cloud

Cloud Management