S3 buckets object logging should be enabled¶
Object-Level logging saves events in JSON format in CloudTrail. This is recommended from a security best practice perspective for buckets that contain sensitive data.
How to fix¶
Attribute advanced_event_selector of aws_cloudtrail must be non-empty.
Implementation options¶
Choose the option that matches how you manage Terraform. All options satisfy this control.
Option 1: Terraform AWS provider resources¶
If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_cloudtrail.
resource "aws_cloudtrail" "this" {
advanced_event_selector {
field_selector {
equals = ["Data"]
field = "eventCategory"
}
field_selector {
equals = ["AWS::S3::Object"]
field = "resources.type"
}
name = "Log all S3 data events"
}
name = "pofix-example-trail"
s3_bucket_name = "example-bucket-abc123"
}
Which option should I choose?
- Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
- Open source module (
terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready. - Terraform AWS provider resources: manage Terraform resources directly.
Tool mappings¶
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf (CTF) Control:
s3_bucket_object_logging_enabledPowerpipe Controls:
aws_compliance.control.cis_v500_3_8,aws_compliance.control.cis_v500_3_9,aws_compliance.control.cis_v600_4_8,aws_compliance.control.cis_v600_4_9,aws_compliance.control.cloudtrail_s3_data_events_enabled,aws_compliance.control.s3_bucket_object_logging_enabled