Control: AWS > CIS v1 > 2 Logging > 2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.

Resource Types

This control targets the following resource types:

AWS > CloudTrail > Trail

Primary Policies

The following policies can be used to configure this control:

2.03 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (Scored)

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-cisv1#/control/types/r0203

Category URI

tmod:@turbot/cis#/control/categories/v071406

GraphQL

query controlType(id: "tmod:@turbot/aws-cisv1#/control/types/r0203") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-cisv1#/control/types/r0203'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-cisv1#/control/types/r0203"