CloudTrail Logging Bucket Should Use MFA Delete Feature

More Info:

Your AWS CloudTrail logging bucket should use the Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files.

Risk Level

High

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the issue of CloudTrail Logging Bucket Should Use MFA Delete Feature in AWS:

Log in to your AWS console.
Navigate to the S3 service.
Find the S3 bucket that is being used for CloudTrail logging.
Click on the bucket name to open its properties.
Click on the Permissions tab.
Scroll down to the “Bucket Policy” section.
Click on “Edit”.
Add the following JSON code to the Bucket Policy:

{
  "Version": "2012-10-17",
  "Id": "PutObjPolicy",
  "Statement": [
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectMultiPartUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        },
        "NumericGreaterThanEquals": {
          "s3:x-amz-content-sha256": 1
        }
      }
    },
    {
      "Sid": "DenyDeleteWithoutMFA",
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutLifecycleConfiguration",
        "s3:PutBucketVersioning",
        "s3:PutBucketAcl",
        "s3:PutBucketPolicy",
        "s3:PutBucketCors",
        "s3:PutBucketLifecycleConfiguration",
        "s3:PutBucketReplication",
        "s3:DeleteBucket",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "Null": {
          "s3:authType": "MFA"
        }
      }
    }
  ]
}

Replace “your-bucket-name” with the actual name of your S3 bucket.
Click on “Save Changes” to update the Bucket Policy.

This will add a DenyDeleteWithoutMFA policy statement to the bucket policy, which will prevent any deletion of objects or modification of bucket policies without MFA authentication.

Using CLI

To remediate the misconfiguration “CloudTrail Logging Bucket Should Use MFA Delete Feature” for AWS using AWS CLI, follow these steps:

Enable versioning for the S3 bucket where CloudTrail logs are stored by running the following command:

aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled

Create a new IAM policy that grants permission to delete objects from the S3 bucket only if MFA authentication is provided. You can use the following policy as an example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDeleteObjectsWithMFA",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject*",
                "s3:PutObjectVersionAcl",
                "s3:GetObjectVersionAcl"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "DenyDeleteObjectsWithoutMFA",
            "Effect": "Deny",
            "Action": [
                "s3:DeleteObject*",
                "s3:PutObjectVersionAcl",
                "s3:GetObjectVersionAcl"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

Create a new IAM policy that grants permission to update the bucket policy to require MFA authentication for object deletions. You can use the following policy as an example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUpdateBucketPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPolicy",
                "s3:PutBucketPolicy"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>"
        }
    ]
}

Create a new IAM role that can assume the policy created in step 3 and attach the policy created in step 2 to it. You can use the following command to create the role:

aws iam create-role --role-name <role-name> --assume-role-policy-document file://trust-policy.json

where “trust-policy.json” contains the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Update the bucket policy to require MFA authentication for object deletions by running the following command:

aws s3api put-bucket-policy --bucket <bucket-name> --policy file://bucket-policy.json

where “bucket-policy.json” contains the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RequireMFADelete",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:DeleteObject*",
            "Resource": "arn:aws:s3:::<bucket-name>/*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

Launch an EC2 instance with the IAM role created in step 4 and run the following command to delete the existing CloudTrail logging bucket policy:

aws s3api delete-bucket-policy --bucket <bucket-name>

Finally, run the following command to update the CloudTrail logging bucket policy to require MFA authentication for object deletions:

aws s3api put-bucket-policy --bucket <bucket-name> --policy file://cloudtrail-policy.json

where “cloudtrail-policy.json” contains the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RequireMFADelete",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:DeleteObject*",
            "Resource": "arn:aws:s3:::<bucket-name>/*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}

After following these steps, the CloudTrail logging bucket should be configured to require MFA authentication for object deletions.

Using Python

To remediate the misconfiguration of CloudTrail Logging Bucket Should Use MFA Delete Feature in AWS using Python, you can follow the below steps:

Import the necessary libraries:

import boto3
from botocore.exceptions import ClientError

Define the name of the S3 bucket that you want to remediate:

bucket_name = 'your-bucket-name'

Create an S3 client:

s3 = boto3.client('s3')

Check if MFA delete is enabled for the bucket:

try:
    response = s3.get_bucket_versioning(Bucket=bucket_name)
    if 'MFADelete' in response and response['MFADelete'] == 'Enabled':
        print('MFA Delete is already enabled for the bucket.')
        return
except ClientError as e:
    if e.response['Error']['Code'] == 'NoSuchBucketVersioning':
        print('Bucket versioning is not enabled for the bucket.')
    else:
        print(f'Error: {e}')
        return

If MFA delete is not enabled, enable it:

try:
    response = s3.put_bucket_versioning(
        Bucket=bucket_name,
        VersioningConfiguration={
            'Status': 'Enabled',
            'MFADelete': 'Enabled'
        }
    )
    print('MFA Delete has been enabled for the bucket.')
except ClientError as e:
    print(f'Error: {e}')

Configure MFA delete for the bucket:

try:
    response = s3.put_bucket_mfa(
        Bucket=bucket_name,
        MFADelete='Enabled',
        MFADeleteEnable='Enabled',
        MFA='your-mfa-serial-number'
    )
    print('MFA Delete has been configured for the bucket.')
except ClientError as e:
    print(f'Error: {e}')

Note: Replace ‘your-bucket-name’ and ‘your-mfa-serial-number’ with the actual values of your S3 bucket name and MFA serial number respectively.

Additional Reading:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingMFADelete.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

CloudTrail Logging Bucket Should Use MFA Delete Feature

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: