How does EchelonGraph detect CIS AWS 3.6 violations?

EchelonGraph automatically detects CIS AWS 3.6 violations using scanner rule CIS-AWS-3-6. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

🟠CIS AWS 3.6Rule: CIS-AWS-3-6high

S3 Object Lock on CloudTrail bucket

Description

S3 Object Lock enabled on CloudTrail logs bucket for tamper-resistant retention.

⚠️ Risk Impact

Without Object Lock, an admin can delete CloudTrail log objects + cover tracks. Object Lock prevents deletion regardless of permission level.

🔍 How EchelonGraph Detects This

CIS-AWS-3-6Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

aws s3api put-object-lock-configuration on CloudTrail bucket. Compliance mode + retention period >= compliance minimum (PCI 1yr, HIPAA 6yr).

💀 Real-World Attack Scenario

An attacker compromised an admin + deleted CloudTrail logs for the period of their activity. Without Object Lock, the deletion succeeded; forensic timeline reconstruction failed. With Object Lock, the deletion would have been blocked.

💰 Cost of Non-Compliance

Log tampering during breach: $2-5M additional forensic cost (Mandiant).

📋 Audit Questions

1.Object Lock on CloudTrail bucket?
2.Compliance mode?
3.Retention period meets requirements?

🎯 MITRE ATT&CK Mapping

T1070 — Indicator Removal on Host

⚡ Common Pitfalls

⛔Object Lock not enabled on log buckets
⛔Governance mode used (admin can override)
⛔Retention period too short

📈 Business Value

Tamper-proof log retention is foundational to forensic capability.

⏱️ Effort Estimate

Manual

30 minutes

With EchelonGraph

EchelonGraph monitors Object Lock on log buckets

🔗 Cross-Framework References

PCI-10.5HIPAA-164.316(b)

Automate CIS AWS 3.6 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →