Avoid recursive S3 server access logging + TrustedAdvisor warning
Hi, I'm enabling server access logging on all S3 buckets, as per SecurityHub recommendations. But now it also wants access logging on the access logging buckets and it warns (very good) that source and destination bucket cannot be the same. What is the preferred solution, here, then? Because even when one would send server access logs for the server access log buckets to another bucket in the same account, it still remains a recursion problem. It seems a bit odd to need to have access logging enabled on the access logging buckets.
Another issue I don't understand iss that, although S3 server access logs are appearing as they should in the designated server access log buckets, I notice that TrustedAdvisor points out a problem that there is a problem of "Write Not Enabled" for all of the S3 buckets and that, therefore, Server Access Logging is wrongly configured for all S3 buckets in the account (even though it actually works perfectly well). The permissions on the server access logging buckets also correctly give PutObject access to logging.s3.amazonaws.com. Is this a known problem, in any way?
Hello, thank you for your post.
For your first question, you can safely ignore the SecurityHub recommendation due to the recursion scenario you described.
As for your second question about the warning in Trusted Advisor, to make the "Write Not Enabled" alert go away, please try enabling the following ACL permissions for the affected buckets for the "S3 log delivery group":
Objects: Write (WRITE)
Bucket ACL: Read (READ_ACP)
You can read more about managing S3 bucket ACLs in our documentation.
Please let me know if you have any questions.
Thanks for the answer! I'll ignore the SecurityHub recommendation.
As for the second one, hmm, I'd rather stay away from ACLs in my S3 buckets, though, considering "A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you disable ACLs except in unusual circumstances where you need to control access for each object individually." (which I had read before and also quoted in the link you sent). I'd rather do everything with Bucket Policies, which seems to be the recommended approach.
If TrustedAdvisor cannot deal with this, then so be it, I guess. Then TrustedAdvisor has a problem, which I should report.
Storing Application Load Balancer access logs in a KMS-encrypted S3 bucketasked 3 years ago
Many buckets created by AWSConfig StackSet (required for SecurityHub)Accepted Answer
Server Access Logging Bucketasked 7 months ago
Centralized logging - one region, perhaps one account (S3/VPC)
S3 access loggingasked 20 days ago
Grant Access to Control Tower created Cloudtrail S3 Bucketasked 6 months ago
Avoid recursive S3 server access logging + TrustedAdvisor warningasked 3 months ago
Binary Logging must be enabled for MySQL serverAccepted Answerasked 2 months ago
S3 Server Access Logging - Another Accountasked 3 months ago
unable to access S3 log files owned by "s3-log-service"asked 3 years ago