Why does AWS Control Tower enable access logging on the access logging bucket?

2

After setting up AWS Control Tower I noticed that the S3 access logging bucket created under the Log Archive account, has logging enabled (and logging to the same bucket). This creates a situation where even doing nothing, the log bucket fills with recursive logs - any time a file is written to the log bucket, it generate another event to log to the log bucket. This just creates clutter and increased cost - is there any value in doing this? Or is this a bug/oversight?

Spock
已提問 2 年前檢視次數 1599 次
1 個回答
1

The reason why it's done is because it's AWS best practice to enable logging on all S3 buckets. However, the logging bucket is, and should be, the one exception to that rule for the reasons you've pointed out. It therefore means that a customer should implement other controls to ensure that undesired access or actions cannot be taken against the logging bucket as no actions will be recorded.

At this time, it's a configuration that customers can remove but AWS implements to provide a "secure by default" configuration, even if it may cause a undesired circular pattern which has a detrimental effect on customers. There is a mechanism by which you can request this be updated and addressed by working with your account manager or through a support ticket.

AWS
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南