By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to manage AWS Config rule "securityhub-s3-bucket-logging-enabled" non-compliance for the S3 logging bucket itself?

0

I’m using AWS Control Tower to implement security controls across my accounts, including the SH.S3.9 control to ensure that S3 bucket server access logging is enabled on all buckets. This control sets up an AWS Config rule, securityhub-s3-bucket-logging-enabled, to verify that each bucket has access logging turned on.

However, I’m running into an issue where the rule flags my designated S3 logging bucket as non-compliant, since enabling access logging on it would result in recursive logging (logging access to itself). I attempted to place the logging bucket in a separate account to avoid this, but AWS doesn’t allow that setup.

I know I can suppress Security Hub findings for this bucket, but is there a recommended approach to handle this exception in AWS Config? Is there a way to exclude this specific logging bucket from this Config rule, or should I consider another workaround?

Thank you for any insights or best practices for managing this scenario!

Topics
StorageSecurity, Identity, & ComplianceManagement & Governance
Tags
Amazon Simple Storage ServiceAWS Security HubAWS ConfigAWS Control Tower
Language
English
DevOps Emergensys
asked 7 months ago326 views
2 Answers
1

No, there is no way for config to differentiate an access log bucket vs a standard s3 bucket.

profile picture
EXPERT
Gary Mclean
answered 7 months ago
  • DevOps Emergensys
    7 months ago

    Thank you Gary,

    It seems clear now that AWS Config doesn’t have the capability to distinguish an access log bucket from a standard S3 bucket, which explains why the s3-bucket-logging-enabled rule can’t exclude it. I’ll proceed by disregarding the non-compliance status for this logging bucket, as there isn’t currently a way to handle this exception within Config itself.

    That said, it does seem quite strange that this control effectively forces you to maintain a non-compliant resource in AWS Config. Hopefully, this is something AWS might address in future updates, as it could simplify compliance management for logging buckets.

    Thanks again

  • Gary Mclean EXPERT
    7 months ago

    Totally agree.. It would be good if you could Tag those buckets to ignore on the Config rule etc.

0

Hi There,

For the question around suppressing in AWS Config, the rule name is securityhub-s3-bucket-logging-enabled which is managed by Security Hub, so it can be safely ignored as you cannot edit this rule and wont be able to remediate.. Where are you seeing s3-bucket-logging-enabled rule enabled?

as you pointed out, you should suppress this finding in Security Hub.
This update was made in Control Tower version 3.1

Deactivation of server access logging for the AWS Control Tower access logging bucket causes Security Hub to create a finding for the Log Archive account's access logging bucket, due to an AWS Security Hub rule, [S3.9] S3 bucket server access logging should be enabled. In alignment with Security Hub, we recommend that you suppress this particular finding, as stated in the Security Hub description of this rule. For additional information, see information about suppressed findings.

You can refer to the release notes here: https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#lz-3-1

The Security Hub Control description also mentions that you should suppress findings on access log target buckets.
The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket. Check out https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9

profile pictureAWS
EXPERT
Matt-B
answered 7 months ago
  • DevOps Emergensys
    7 months ago

    Hi Matt,

    Thank you for your response. Just to clarify, I understand the suppression recommendation for Security Hub findings. My question is actually about handling this in AWS Config. The s3-bucket-logging-enabled rule flags the logging bucket itself as non-compliant, and suppressing in Security Hub doesn’t address the Config rule's non-compliance.

    Is there a way to handle this particular exception within AWS Config, such as excluding this logging bucket, or should I consider an alternative workaround?

    Thanks for any additional insights!

  • Matt-B EXPERT
    7 months ago

    Hi There,

    For the question around suppressing in AWS Config, the rule name is securityhub-s3-bucket-logging-enabled which is managed by Security Hub, so it can be safely ignored as you cannot edit this rule and wont be able to remediate.. Where are you seeing s3-bucket-logging-enabled rule enabled? (updated original answer to include this questions)

  • DevOps Emergensys
    7 months ago

    Hi Matt,

    I’m seeing the s3-bucket-logging-enabled rule in AWS Config as part of my Control Tower setup with SH.S3.9. It’s showing non-compliance specifically for the S3 logging bucket, and I don’t see an option to exclude it. Is there any AWS Config setting or workaround to handle this exception, or should I simply disregard the non-compliance status in this case?

    You can see the details about SH.S3.9 and the AWS config rule created by it here: https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-9

    Thanks again for your help.

  • Matt-B EXPERT
    7 months ago

    The specific config rule thats enabled with that Security Hub Control is called securityhub-s3-bucket-logging-enabled. If you are seeing a different one, it could be a separate config rule that you could likely disable.

  • DevOps Emergensys
    7 months ago

    You are right Matt, the rule is named securityhub-s3-bucket-logging-enabled. Fixed it in my original question. Thanks

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content