Skip to main content

More Info:

AWS CloudTrail logging buckets should not be publicly accessible. Using an overly permissive or insecure set of permissions for your CloudTrail logging S3 buckets could provide malicious users access to your AWS account log data which can increase exponentially the risk of unauthorized access.

Risk Level

Critical

Address

Security

Compliance Standards

GDPR, HIPAA, CISAWS, CBP, AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

  • Remediation

Remediation

Using Console

  1. Sign in to the AWS Management Console.
  2. Navigate to the CloudTrail service.
  3. Select Trails from the navigation pane.
  4. Identify Trails with Publicly Accessible Buckets:
    • Review each trail listed in the CloudTrail console and identify those with publicly accessible S3 buckets.
  5. Review Bucket ACL and Bucket Policy:
    • Click on each trail to view its details.
    • Under the “S3 bucket” section, review the bucket ACL and bucket policy for any grants to “AllUsers” or “AuthenticatedUsers” with “FULL_CONTROL” permission.
  6. Remove Public Access:
    • If there are grants allowing public access, you need to remove them:
      • Modify the bucket ACL to remove any grants allowing public access.
      • Delete the bucket policy if it allows public access.
  7. Repeat for Other Trails:
    • Repeat the above steps for all trails with publicly accessible S3 buckets.

  1. Identify CloudTrail Trails with Publicly Accessible Buckets:
aws cloudtrail describe-trails --query "trailList[?contains(S3BucketName, 'public-accessible-bucket')]" --output json
Replace 'public-accessible-bucket' with the name of the bucket you’re investigating.
  1. Remove Public Access from S3 Bucket ACL:
aws s3api put-bucket-acl --bucket BUCKET_NAME --acl private
Replace BUCKET_NAME with the name of the S3 bucket.
  1. Remove Bucket Policy (if exists):
aws s3api delete-bucket-policy --bucket BUCKET_NAME
Replace BUCKET_NAME with the name of the S3 bucket.
  1. Repeat for Other Trails:
    • If there are multiple CloudTrail trails with publicly accessible S3 buckets, repeat the above steps for each of them.
These steps will remove public access from the S3 buckets associated with the CloudTrail trails using the AWS CLI. Ensure that you have appropriate IAM permissions to modify S3 bucket ACLs and policies.
Here’s a Python script to identify and remediate CloudTrail trails with publicly accessible S3 buckets:
import boto3

class CloudTrailChecker:
    def __init__(self):
        self.cloudtrail_client = boto3.client('cloudtrail')
        self.s3_client = boto3.client('s3')

    def get_publicly_accessible_trails(self):
        failures = []
        response = self.cloudtrail_client.describe_trails()
        for trail in response['trailList']:
            if self.is_trail_public(trail):
                failures.append(trail)
        return failures

    def is_trail_public(self, trail):
        bucket_name = trail.get("S3BucketName", "")
        bucket_acl = self.s3_client.get_bucket_acl(Bucket=bucket_name)
        bucket_policy = self.s3_client.get_bucket_policy(Bucket=bucket_name)
        
        for grant in bucket_acl.get("Grants", []):
            if grant.get("Grantee", {}).get("URI", "") in [
                "http://acs.amazonaws.com/groups/global/AllUsers",
                "http://acs.amazonaws.com/groups/global/AuthenticatedUsers",
            ] and grant.get("Permission", None) == "FULL_CONTROL":
                return True
        
        statements = bucket_policy.get("Policy", {}).get("Statement", [])
        for statement in statements:
            if statement.get("Effect", "") == "Allow" and statement.get("Principal", "") == "*":
                return True
        
        return False

    def remediate_public_trail(self, trail_name):
        bucket_name = self.cloudtrail_client.describe_trails(trailNameList=[trail_name])['trailList'][0]['S3BucketName']
        
        # Remove public access from bucket ACL
        self.s3_client.put_bucket_acl(
            Bucket=bucket_name,
            ACL='private'
        )
        
        # Remove public access from bucket policy
        self.s3_client.delete_bucket_policy(
            Bucket=bucket_name
        )
        
        print(f"Public access has been removed from the CloudTrail trail {trail_name}.")

# Instantiate the class
checker = CloudTrailChecker()

# Get trails with publicly accessible buckets
public_trails = checker.get_publicly_accessible_trails()

# Remediate public trails
for trail in public_trails:
    checker.remediate_public_trail(trail['Name'])
This Python script identifies CloudTrail trails with publicly accessible S3 buckets and provides a placeholder for the remediation logic. You would need to implement the logic to modify the bucket ACL and bucket policy to remove public access.Make sure to have appropriate IAM permissions for managing CloudTrail trails if you’re using AWS CLI or Python script.

Additional Reading:

I