S3 bucket has server access logging enabled
s3_bucket_server_access_logging_enabled
Amazon S3 buckets are evaluated for server access logging configured to record access requests and deliver logs to a designated destination bucket.
Risk
Without access logs, object reads, writes, and deletions may go untracked, hindering detection of unauthorized access and data exfiltration. This degrades forensic visibility, delays incident response, and weakens evidence integrity, impacting confidentiality and integrity.
prowler aws --checks s3_bucket_server_access_logging_enabled
Recommendation
Enable server access logging and send logs to a dedicated log bucket with least privilege, retention, and monitoring. Complement with CloudTrail data events for object-level visibility. Apply defense in depth by centralizing logs and protecting them from tampering.
Remediation
aws s3api put-bucket-logging --bucket <BUCKET_NAME> --bucket-logging-status '{"LoggingEnabled":{"TargetBucket":"<LOG_BUCKET>","TargetPrefix":"logs/"}}'
- Open the AWS Management Console and go to S3
- Select the bucket with the finding
- Go to the Properties tab
- In Server access logging, click Edit
- Toggle Enable, choose the target log bucket, and Save
Source Code
Resource Type
AwsS3Bucket