Object-level logging should be enabled for S3 bucket read events

cloudtrail
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

S3 object-level API read event operations, such as GetObject, DeleteObject, and PutObject, are classified as data events, which are not logged by default in CloudTrail. Enabling object-level logging for S3 buckets is recommended to meet data compliance requirements, perform comprehensive security analysis, and monitor user behavior patterns, allowing for immediate actions on object-level API activity using Amazon CloudWatch Events.

Remediation

To satisfy this check, a multi-region CloudTrail should be created using either Advanced or Basic Field Selectors.

Advanced Field Selectors:

```
{
    "field": "eventCategory",
    "equals": ["Data"]
},
{
    "field": "resources.type",
    "equals": ["AWS::S3::Object"]
},
{
    "field": "readOnly",
    "equals": ["true"]
},
```

Basic Field Selectors: { "type": "AWS::S3::Object", "values": ["arn:aws:s3"] }, { "read_write_type": "readOnly" (or `all`) }

Additional fields such as eventType should not be used, as these will filter the scope of logging. For instructions on enabling object-level logging for S3 buckets in CloudTrail, refer to the AWS CloudTrail User Guide on Logging Data Events.

PREVIEWING: dgreen15/github-error-fix