- Newest
- Most votes
- Most comments
Hi,
Thanks for reaching out to us. I understand that you're concerned about having to enable an S3 bucket per region, to meet the compliance requirement for CIS AWS Foundations Benchmark controls 2.5 – Ensure AWS Config is enabled for an AWS account.
- CIS AWS Foundations Benchmark controls - 2.5 – Ensure AWS Config is enabled - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.5
You are able to use one S3 bucket for all regions per account to meet the compliance requirement. You do not need to use individual buckets per region. The audit steps performed by Security Hub service to evaluate compliance is outlined in the document below and step 6 (in page 72) for remediation mentions the following:
"Specify an S3 bucket in the same account or in another managed AWS account"
- chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/viewer.html?pdfurl=https%3A%2F%2Fd1.awsstatic.com%2Fwhitepapers%2Fcompliance%2FAWS_CIS_Foundations_Benchmark.pdf&clen=1742687&chunk=true
Therefore, you may incorporate this solution into your implementation.
I hope this clears your concerns. Let us know if you have any further questions that we can answer!
Thank you. That clears my concerns. It's just the StackSet example which automates this for all regions that creates all the different buckets then, but I can (manually, or by changing the stackset settings perhaps) consolidate it into a single bucket per account, that's good to know. Thanks!
Hi, can I follow up on your answer. This works well for AWS Config and AWS CloudTrail, which can record their logs/trails in one bucket (and subfolders for regions). However, when I enable server access logging for S3 and VPC Flow Logging (both security requirements), I cannot specify a bucket in a different region in the S3 Permissions Tab. This means I have to have server access logging buckets for each region in my account plus VPC flow logging buckets for each region? Can I consolidate this in fewer buckets? Thanks!
Relevant content
- asked 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
I do have a separate log-archive account, too. Best to have the logs here, even, I think, if possible. Yet even then with around 20 buckets per account, can only host 5 accounts until limit of 100 is reached (?) There must be a better way.