Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

2.3 Logging (AWS CIS Benchmark).


CloudTrail logs a record of every API call made in your AWS account. These logs are stored in an S3 bucket.

It is recommended that the bucket policy, or access control list (ACL), is applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.

Remove any public access that has been granted to the bucket via an ACL or S3 bucket policy via the AWS Management Console

Step 1. Go to the Amazon S3 console at https://console.aws.amazon.com/s3/home.

Step 2. Right-click on the bucket and click on Properties.

Step 3. In the "Properties" pane, click on the Permissions tab. The tab shows a list of permissions granted, with one row per permission granted, in the bucket ACL. Each row identifies the grantee and the permissions granted.

Step 4. Select the row that grants permission to "Everyone" or "Any Authenticated User."

Step 5. Uncheck all the permissions granted to "Everyone" or "Any Authenticated User" (click on x to delete the row).

Step 6. Click Save to save the ACL.

Step 7. If the "Edit bucket policy" button is present, click on it.

Step 8. Remove any Statement that has an Effect set to “Allow” and a Principal set to "" or {"AWS" : ""}.