Ensure S3 bucket logging is enabled
Description
Server access logging should be enabled on all S3 buckets for audit trail.
⚠️ Risk Impact
Without access logs, data access patterns cannot be monitored. Unauthorized data exfiltration goes undetected.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as medium-severity findings with remediation guidance.
🔧 Remediation
Enable server access logging in bucket properties.
💀 Real-World Attack Scenario
An insider threat actor downloaded 50,000 customer records from an S3 bucket over a period of 2 months. Without S3 access logging, there was no record of which objects were accessed, when, or by whom. The breach was only discovered when the data appeared for sale on a dark web forum.
💰 Cost of Non-Compliance
Breaches without S3 access logs are undetectable until external notification. Average time to external discovery: 197 days. Forensic investigation without logs costs 3x more: $540K vs $180K.
📋 Audit Questions
- 1.Which buckets have server access logging disabled?
- 2.Where are S3 access logs stored?
- 3.How long are S3 access logs retained?
- 4.Are S3 access logs analyzed for anomalous access patterns?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Logging to the same bucket being logged (creates infinite loop)
- ⛔Not setting lifecycle policies on log buckets (unbounded cost growth)
- ⛔Only using CloudTrail for S3 monitoring (misses object-level access details)
📈 Business Value
S3 access logging provides the forensic evidence needed to scope breaches, identify insider threats, and satisfy audit requirements. It's the minimum viable monitoring for data storage.
⏱️ Effort Estimate
30 minutes per bucket to configure logging
EchelonGraph monitors S3 logging configuration across all buckets
🔗 Cross-Framework References
Automate CIS AWS 2.2 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →