En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

How to set access log output for access log output bucket

0

We are considering support for Security Hub. In order to clear the check of S3.9, I prepared a bucket for access log output and set it to output access log there. However, the check cannot be cleared because the access log output setting of the access log output bucket has not been set. How can I clear this check? If possible, I would like to solve it in a way that does not ignore it.

[S3.9] This control checks if an Amazon S3 Bucket has server access logging enabled to a chosen target bucket.

Sujets
Sécurité, identité et conformitéFramework AWS Well-Architected
Balises
Hub de sécurité AWSSécurité
Langue
English
profile picture
moritalous
demandé il y a 2 ans307 vues
4 réponses
1

Did you check this documentation

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-9-remediation

AWS
AWS-User-2036647
répondu il y a 2 ans
  • moritalous
    il y a 2 ans

    thank you for your answer. I checked the documentation but didn't find the answer I expected.

0
Réponse acceptée

Ultimately, at some point, you'll have a bucket that does not have access logging enabled because you'll always have a circular reference and then a runaway increase in logging.

Best practice is to lock down the bucket to which those access logs are being written by using version history, MFA on Delete, restricting access to service roles (which does not include delete actions) from systems where the logs can be accessed (e.g. SIEM, Amazon Redshift, Amazon OpenSearch, or other data warehouse/visualization solution).

You will still have AWS Cloudtrail logs which can also help identify access requests to the bucket to provide some level of access monitoring. Finally, the AWS Documentation on [S3.9] S3 bucket server access logging should be enabled explicitly states:

"The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket."

AWS
Allison_P
répondu il y a 2 ans
  • moritalous
    il y a 2 ans

    Thank you for your answer. I see that I can suppress the log bucket. (Select the bucket and click on the Workflow status button, then Suppressed)

0

Check this blog and also make sure that the permissions through bucket policies and/or ACL is not blocking.

https://aws.amazon.com/premiumsupport/knowledge-center/s3-server-access-log-not-delivered/

AWS
AWS-User-2036647
répondu il y a 2 ans
  • moritalous
    il y a 2 ans

    Sorry I didn't ask the question well. I am not having trouble with how to output the access log, but rather where to output the access log for the bucket that collects the access log.

    source buckettarget bucket for access log
    Bucket-ALog-Bucket
    Bucket-BLog-Bucket
    Log-Bucket?????
0

You could set it up to any bucket of your choice, is there any trouble with that?

AWS
AWS-User-2036647
répondu il y a 2 ans
  • moritalous
    il y a 2 ans

    I am concerned about the following cases.

    1. Access Bucket-A (access to Bucket-A occurs)
    2. Access log to Bucket-A is output to Log-Bucket (access to Log-Bucket occurs)
    3. Access log to Log-Bucket is output to Log-Bucket2 (access to Log-Bucket2 occurs)
    4. Access log to Log-Bucket2 is output to Log-Bucket3 (access to Log-Bucket3 occurs)

    Wouldn't it be an infinite loop like this?

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents