CloudTrail logs S3 bucket should not be public accessible
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
The bucket policy or access control list (ACL) applied to the CloudTrail logs S3 bucket should prevent public access to the CloudTrail logs.
Rationale
Allowing public access to CloudTrail log content can help an adversary identify weaknesses in the affected account’s use or configuration.
Perform the following steps to remove public access granted to the bucket through an ACL or S3 bucket policy.
From the console
- Go to Amazon S3 console.
- Right-click on the bucket and click Properties.
- In the Properties pane, click the Permissions tab.
- The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
- Select the row if it grants permission to Everyone or Any Authenticated User.
- Uncheck all the permissions granted to Everyone or Any Authenticated User (click x to delete the row).
- Click Save to save the ACL.
- If the Edit bucket policy button is present, click it.
- Remove any Statement having an
Effect
set to Allow
and a Principal
set to "*"
or {"AWS" : "*"}
.
Default value
By default, S3 buckets are not publicly accessible.
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html