| Plugin Title | CloudTrail Bucket Private |
| Cloud | AWS |
| Category | CloudTrail |
| Description | Ensures CloudTrail logging bucket is not publicly accessible |
| More Info | CloudTrail buckets contain large amounts of sensitive account data and should only be accessible by logged in users. |
| AWS Link | http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html |
| Recommended Action | Set the S3 bucket access policy for all CloudTrail buckets to only allow known users to access its files. |
- Log in to the AWS Management Console.
- Select the "Services" option and search for "CloudTrail".
- In the "Dashboard" panel click on the desired trail from the list under "Trails" to get to its configuration page.
- Click on "Edit" under "General details".
- Scroll down and under the "Storage location" option check the S3 bucket name which stores the log data.
- Go to "Services" and search for "S3" to go into S3 buckets dashboard.
- Select the "S3 bucket" which is used to store data log in CloudTrail and check the "Access" option. If "Access" shows "Objects can be public" than bucket is publicly accessible
- Click on the Bucket name to get into its configuration page.
- Click on the "Permissions" tab and scroll down to "Block public access (bucket settings)" and click "Edit".
- Select the checkbox "Block all public access" shown under "Block public access (bucket settings)" to make the S3 bucket private.
- Click on "save changes" to save the settings.
- On the permissions tab scroll down to "Access control list (ACL)" to check the access for other AWS accounts on the selected S3 bucket for known users. Click "Edit" to add permissions for accounts as desired.
- On the "Edit access control list (ACL)" page click on "Add grantee" button to grant access to other AWS accounts as desired.
- Under "Access for other AWS accounts" paste the Canonical ID of the desired AWS account and check desired permissions. Review and click "Save changes".
- Repeat steps 4 to 14 for all other Cloudtrail trails.
