S3 bucket access logging on CloudTrail target
Description
S3 bucket access logging enabled on the S3 bucket receiving CloudTrail logs.
⚠️ Risk Impact
Without bucket-access logging, you can't detect when an attacker accesses CloudTrail logs to delete forensic evidence.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
aws s3api put-bucket-logging --bucket cloudtrail-bucket --bucket-logging-status TargetBucket=access-logs-bucket.
💀 Real-World Attack Scenario
An attacker with admin access deleted CloudTrail log objects to cover their tracks. Without access logging on the CloudTrail bucket, the deletion itself wasn't recorded. Forensic reconstruction failed.
💰 Cost of Non-Compliance
Lost forensic evidence: 3-5× incident-investigation cost (Mandiant M-Trends 2024).
📋 Audit Questions
- 1.Access logging on CloudTrail bucket?
- 2.Access logs in separate account?
- 3.Retention?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔No access logging on CloudTrail bucket
- ⛔Access logs in same bucket as CloudTrail
- ⛔No retention policy
📈 Business Value
Access logging on logging buckets prevents log-tampering blind spots.
⏱️ Effort Estimate
10 minutes per bucket
EchelonGraph monitors logging configuration
🔗 Cross-Framework References
Automate CIS AWS 3.3 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →