CloudTrail trail records S3 object-level read events for all S3 buckets
cloudtrail_s3_dataevents_read_enabled
CloudTrail trails log S3 object-level read data events for all buckets, capturing object access (for example GetObject) via selectors targeting AWS::S3::Object
Risk
Without object-level read logging, S3 access is opaque. Attackers or insiders can exfiltrate data via GetObject without audit trails, eroding confidentiality and hindering forensics, anomaly detection, and incident response.
prowler aws --checks cloudtrail_s3_dataevents_read_enabled
Recommendation
Enable CloudTrail data events for S3 objects with ReadOnly (or All) across all current and future buckets. Use a multi-Region trail, centralize logs in an encrypted bucket with lifecycle retention, and integrate monitoring/alerts to support defense in depth and accountable access.
Remediation
aws cloudtrail put-event-selectors --trail-name <example_resource_name> --event-selectors '[{"ReadWriteType":"ReadOnly","DataResources":[{"Type":"AWS::S3::Object","Values":["arn:aws:s3"]}]}]'
- In the AWS Console, open CloudTrail and select Trails
- Open your trail and go to the Data events section
- Add data event for S3 and choose All current and future S3 buckets
- Select only Read events (or All if Read-only is unavailable)
- Save changes
Source Code
Resource Type
AwsCloudTrailTrail
References
- https://awswala.medium.com/enable-cloudtrail-data-events-logging-for-objects-in-an-s3-bucket-33cade51ae2b
- https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-23
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html
- https://www.plerion.com/cloud-knowledge-base/ensure-object-level-logging-for-read-events-enabled-for-s3-bucket