By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesVPC Endpoint PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

Config Rules

CloudTrail's S3 Bucket Access Logging Enabled Check

A config rule that evaluates whether access logging is enabled on the CloudTrail S3 bucket and the S3 bucket is not publicly accessible.

Items
4
Size
5.7 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  CustomConfigRule:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "cloudtrail_s3_access_logging"
      Scope:
        ComplianceResourceTypes:
          - "AWS::CloudTrail::Trail"
          - "AWS::S3::Bucket"
      Description: "A config rule that evaluates whether access logging is enabled on the CloudTrail S3 bucket and the S3 bucket is not publicly accessible."
      Source:
        Owner: "CUSTOM_LAMBDA"
        SourceIdentifier:
          Fn::GetAtt:
            - "LambdaFunctionCustomConfigRule"
            - "Arn"
        SourceDetails:
          - EventSource: "aws.config"
            MessageType: "ConfigurationItemChangeNotification"
          - EventSource: "aws.config"
            MessageType: "OversizedConfigurationItemChangeNotification"
    DependsOn: "LambdaInvokePermissionsCustomConfigRule"
  LambdaInvokePermissionsCustomConfigRule:
    Type: "AWS::Lambda::Permission"
    Properties:
      FunctionName:
        Fn::GetAtt:
          - "LambdaFunctionCustomConfigRule"
          - "Arn"
      Action: "lambda:InvokeFunction"
      Principal: "config.amazonaws.com"
  LambdaFunctionCustomConfigRule:
    Type: "AWS::Lambda::Function"
    Properties:
      FunctionName: "LambdaForcloudtrail_s3_access_logging"
      Handler: "index.lambda_handler"
      Role:
        Fn::GetAtt:
          - "LambdaIamRoleCustomConfigRule"
          - "Arn"
      Runtime: "python2.7"
      Code:
        ZipFile:
          Fn::Join:
            - "\n"
            -
              - ""
              - "import json"
              - "import boto3"
              - "import datetime"
              - "import time"
              - "from botocore.exceptions import ClientError"
              - "def lambda_handler(event, context):"
              - "  # get the trail for the current region"
              - "  client_ct = boto3.client('cloudtrail')"
              - "  for trail in client_ct.describe_trails(includeShadowTrails = False)['trailList']:"
              - "    annotation = ''"
              - "    is_publicly_accessible = False"
              - "    s3_bucket_name = ''"
              - "    is_compliant = True"
              - "    # check if the cloudtrail s3 bucket is publicly accessible and logged"
              - "    if trail['S3BucketName']:"
              - "      s3_bucket_name = trail['S3BucketName']"
              - "      client_s=boto3.client('s3')"
              - "      try:"
              - "        for grant in client_s.get_bucket_acl(Bucket = s3_bucket_name)['Grants']:"
              - "          # verify cloudtrail s3 bucket ACL"
              - "          if grant['Permission'] in ['READ','FULL_CONTROL'] and ('URI' in grant['Grantee'] and ('AuthenticatedUsers' in grant['Grantee']['URI'] or 'AllUsers' in grant['Grantee']['URI'])):"
              - "            is_publicly_accessible = True"
              - "        if is_publicly_accessible:"
              - "          is_compliant = False"
              - "          annotation = annotation + ' The CloudTrail S3 bucket '{}' is publicly accessible.'.format(s3_bucket_name)"
              - "        # verify cloudtrail s3 bucket logging"
              - "        response = client_s.get_bucket_logging(Bucket = s3_bucket_name)"
              - "        if 'LoggingEnabled' not in response:"
              - "          is_compliant=False"
              - "          annotation = annotation + ' The CloudTrail S3 bucket '{}' does not have logging enabled.'.format(s3_bucket_name)"
              - "      except Exception as ex:"
              - "        print ex"
              - "        is_compliant = False"
              - "        annotation = annotation + ' There was an error looking up CloudTrail S3 bucket '{}'.'.format(s3_bucket_name)"
              - "    else:"
              - "      annotation = annotation + ' CloudTrail is not integrated with S3.'"
              - "    result_token = 'No token found.'"
              - "    if 'resultToken' in event: result_token = event['resultToken']"
              - "    evaluations = ["
              - "      {"
              - "        'ComplianceResourceType': 'AWS::S3::Bucket',"
              - "        'ComplianceResourceId': s3_bucket_name,"
              - "        'ComplianceType': 'COMPLIANT' if is_compliant else 'NON_COMPLIANT',"
              - "        'OrderingTimestamp': datetime.datetime.now()"
              - "      }"
              - "    ]"
              - "    if is_compliant: annotation = 'Acces logging is enabled on the CloudTrail S3 bucket '{}' and the S3 bucket is not publicly accessible'.format(s3_bucket_name)"
              - "    if annotation: evaluations[0]['Annotation'] = annotation"
              - "    config = boto3.client('config')"
              - "    config.put_evaluations("
              - "      Evaluations = evaluations,"
              - "      ResultToken = result_token"
              - "    )"
              - ""
      Timeout: 300
    DependsOn: "LambdaIamRoleCustomConfigRule"
  LambdaIamRoleCustomConfigRule:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "IAMRoleForcloudtrail_s3_access_loggingllM"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess"
        - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
        - "arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole"
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies: []
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Rule Settings


Rule Parameters

No rule paramters

Trigger Settings

* Required field