<- All Guardrails
Terraform Policy
Ensure that object-level logging for read events is enabled for S3 buckets
Ensure that object-level logging for read events is enabled for S3 buckets
Copy
GUARDRAIL "[CIS - AWS] 3.9 Ensure that object-level logging for read events is enabled for S3 buckets"
  WHEN aws_cloudtrail
    REQUIRE is_multi_region_trail = true
    REQUIRE event_selector OR advanced_event_selector EXISTS
  WHEN aws_cloudtrail.event_selector
    REQUIRE SOME event_selector HAS
      read_write_type IN ["ReadOnly", "ALL"]
      data_resource.type = "AWS::S3::Object"
      SOME data_resource.values STARTS WITH "arn:aws:s3"
  WHEN aws_cloudtrail.advanced_event_selector EXISTS
    REQUIRE SOME advanced_event_selector HAS
      (field_selector.field != "eventCategory" OR SOME field_selector HAS
        field = "eventCategory" AND equals = ["Data"])
      (field_selector.field != "resources.type" OR SOME field_selector HAS
        field = "resources.type" AND equals CONTAINS "AWS::S3::Object")
      (field_selector.field != "readOnly" OR SOME field_selector HAS
        field = "readOnly" AND equals CONTAINS "true")
  OVERRIDE WITH APPROVAL @security
Import into Resourcely
Why import into Resourcely?
Made by
Resourcely
Provider
AWS
Compliance Standards
(see all)
AWS CIS v3.0.0
Category
Logging and monitoring