CloudTrail Logging Buckets Should Not Be Publicly Accessible

More Info:

AWS CloudTrail logging buckets should not be publicly accessible. Using an overly permissive or insecure set of permissions for your CloudTrail logging S3 buckets could provide malicious users access to your AWS account log data which can increase exponentially the risk of unauthorized access.

Risk Level

Critical

Address

Security

Compliance Standards

GDPR, HIPAA, CISAWS, CBP, AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

Identify CloudTrail Trails with Publicly Accessible Buckets:

aws cloudtrail describe-trails --query "trailList[?contains(S3BucketName, 'public-accessible-bucket')]" --output json

Replace 'public-accessible-bucket' with the name of the bucket you’re investigating.

Remove Public Access from S3 Bucket ACL:

aws s3api put-bucket-acl --bucket BUCKET_NAME --acl private

Replace BUCKET_NAME with the name of the S3 bucket.

Remove Bucket Policy (if exists):

aws s3api delete-bucket-policy --bucket BUCKET_NAME

Replace BUCKET_NAME with the name of the S3 bucket.

Repeat for Other Trails:
- If there are multiple CloudTrail trails with publicly accessible S3 buckets, repeat the above steps for each of them.

These steps will remove public access from the S3 buckets associated with the CloudTrail trails using the AWS CLI. Ensure that you have appropriate IAM permissions to modify S3 bucket ACLs and policies.

Using Python

Here’s a Python script to identify and remediate CloudTrail trails with publicly accessible S3 buckets:

import boto3

class CloudTrailChecker:
    def __init__(self):
        self.cloudtrail_client = boto3.client('cloudtrail')
        self.s3_client = boto3.client('s3')

    def get_publicly_accessible_trails(self):
        failures = []
        response = self.cloudtrail_client.describe_trails()
        for trail in response['trailList']:
            if self.is_trail_public(trail):
                failures.append(trail)
        return failures

    def is_trail_public(self, trail):
        bucket_name = trail.get("S3BucketName", "")
        bucket_acl = self.s3_client.get_bucket_acl(Bucket=bucket_name)
        bucket_policy = self.s3_client.get_bucket_policy(Bucket=bucket_name)
        
        for grant in bucket_acl.get("Grants", []):
            if grant.get("Grantee", {}).get("URI", "") in [
                "http://acs.amazonaws.com/groups/global/AllUsers",
                "http://acs.amazonaws.com/groups/global/AuthenticatedUsers",
            ] and grant.get("Permission", None) == "FULL_CONTROL":
                return True
        
        statements = bucket_policy.get("Policy", {}).get("Statement", [])
        for statement in statements:
            if statement.get("Effect", "") == "Allow" and statement.get("Principal", "") == "*":
                return True
        
        return False

    def remediate_public_trail(self, trail_name):
        bucket_name = self.cloudtrail_client.describe_trails(trailNameList=[trail_name])['trailList'][0]['S3BucketName']
        
        # Remove public access from bucket ACL
        self.s3_client.put_bucket_acl(
            Bucket=bucket_name,
            ACL='private'
        )
        
        # Remove public access from bucket policy
        self.s3_client.delete_bucket_policy(
            Bucket=bucket_name
        )
        
        print(f"Public access has been removed from the CloudTrail trail {trail_name}.")

# Instantiate the class
checker = CloudTrailChecker()

# Get trails with publicly accessible buckets
public_trails = checker.get_publicly_accessible_trails()

# Remediate public trails
for trail in public_trails:
    checker.remediate_public_trail(trail['Name'])

This Python script identifies CloudTrail trails with publicly accessible S3 buckets and provides a placeholder for the remediation logic. You would need to implement the logic to modify the bucket ACL and bucket policy to remove public access.Make sure to have appropriate IAM permissions for managing CloudTrail trails if you’re using AWS CLI or Python script.

Additional Reading:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

CloudTrail Logging Buckets Should Not Be Publicly Accessible

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: