Detection rules › Panther
AWS CloudTrail S3 Bucket Access Logging
This policy validates that the bucket receiving CloudTrail Logs is configured with S3 Access Logging. This audits all creation, modification, or deletion to CloudTrail audit logs.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1530 Data from Cloud Storage |
Rule body yaml
AnalysisType: policy
Filename: aws_cloudtrail_s3_bucket_access_logging.py
PolicyID: "AWS.CloudTrail.S3Bucket.AccessLogging"
DisplayName: "AWS CloudTrail S3 Bucket Access Logging"
Enabled: true
ResourceTypes:
- AWS.CloudTrail
Tags:
- AWS
- Data Protection
- Collection:Data From Cloud Storage Object
Reports:
CIS:
- 2.6
MITRE ATT&CK:
- TA0009:T1530
Severity: Medium
Description: >
This policy validates that the bucket receiving CloudTrail Logs is configured with
S3 Access Logging. This audits all creation, modification, or deletion to CloudTrail audit logs.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-cloudtrail-s3-bucket-has-access-logging-enabled
Reference: >
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
# Unit testing not supported for policies that might network calls
Detection logic
Rule logic imperative Python
from panther_aws_helpers import BadLookup, resource_lookup
def policy(resource):
bucket_arn = "arn:aws:s3:::" + resource["S3BucketName"]
try:
bucket = resource_lookup(bucket_arn)
except BadLookup:
return True
return bucket["LoggingPolicy"] is not None
The parser cannot express this rule's logic as a field filter; the imperative Python above is the detection.