How to set access log output for access log output bucket
We are considering support for Security Hub. In order to clear the check of S3.9, I prepared a bucket for access log output and set it to output access log there. However, the check cannot be cleared because the access log output setting of the access log output bucket has not been set. How can I clear this check? If possible, I would like to solve it in a way that does not ignore it.
[S3.9] This control checks if an Amazon S3 Bucket has server access logging enabled to a chosen target bucket.
- 新しい順
- 投票が多い順
- コメントが多い順
Did you check this documentation
Ultimately, at some point, you'll have a bucket that does not have access logging enabled because you'll always have a circular reference and then a runaway increase in logging.
Best practice is to lock down the bucket to which those access logs are being written by using version history, MFA on Delete, restricting access to service roles (which does not include delete actions) from systems where the logs can be accessed (e.g. SIEM, Amazon Redshift, Amazon OpenSearch, or other data warehouse/visualization solution).
You will still have AWS Cloudtrail logs which can also help identify access requests to the bucket to provide some level of access monitoring. Finally, the AWS Documentation on [S3.9] S3 bucket server access logging should be enabled explicitly states:
"The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket."
Thank you for your answer. I see that I can suppress the log bucket. (Select the bucket and click on the Workflow status button, then Suppressed)
Check this blog and also make sure that the permissions through bucket policies and/or ACL is not blocking.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-server-access-log-not-delivered/
Sorry I didn't ask the question well. I am not having trouble with how to output the access log, but rather where to output the access log for the bucket that collects the access log.
source bucket target bucket for access log Bucket-A Log-Bucket Bucket-B Log-Bucket Log-Bucket ?????
You could set it up to any bucket of your choice, is there any trouble with that?
I am concerned about the following cases.
- Access Bucket-A (access to Bucket-A occurs)
- Access log to Bucket-A is output to Log-Bucket (access to Log-Bucket occurs)
- Access log to Log-Bucket is output to Log-Bucket2 (access to Log-Bucket2 occurs)
- Access log to Log-Bucket2 is output to Log-Bucket3 (access to Log-Bucket3 occurs)
Wouldn't it be an infinite loop like this?
関連するコンテンツ
AWS公式更新しました 3年前
thank you for your answer. I checked the documentation but didn't find the answer I expected.