Skip to content

Latest commit

 

History

History
33 lines (29 loc) · 3.49 KB

cloudtrail-bucket-delete-policy.md

File metadata and controls

33 lines (29 loc) · 3.49 KB
Raw

CloudSploit

AWS / CloudTrail / CloudTrail Bucket Delete Policy

Quick Info
Plugin Title CloudTrail Bucket Delete Policy
Cloud AWS
Category CloudTrail
Description Ensures CloudTrail logging bucket has a policy to prevent deletion of logs without an MFA token
More Info To provide additional security, CloudTrail logging buckets should require an MFA token to delete objects
AWS Link http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete
Recommended Action Enable MFA delete on the CloudTrail bucket

Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the "Services" option and search for "CloudTrail".
  3. In the "Dashboard" panel click on "View trails" button.
  4. Select the "trail" that needs to be verified under "Name" column.
  5. Scroll down and under the "Storage location" option check the S3 bucket used to store log data.
  6. Go to "Services" and search for "S3" to go into S3 buckets dashboard.
  7. Select the "S3 bucket" used to store data log in CloudTrail.
  8. Enabling MFA using AWS Management Console is not supported as of now. MFA can be enabled using AWS API. Configure "AWS CLI" with your own "AWS Key Id" and "AWS Secret Key" as well as configure MFA for your root account.
  9. Follow the commands to "Enable MFA".
  10. To list buckets in AWS account: aws s3api list-buckets --query 'Buckets[*].Name'
  11. To verify if the selected "CloudTrail bucket" has object versioning enabled : aws s3api get-bucket-versioning --bucket shukla008
  12. To enable "MFA Delete" and "Versioning" of the selected "CloudTrail bucket" : aws s3api put-bucket-versioning --bucket shukla008 --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa 'arn:aws:iam::10260454563607:mfa/root-account-mfa-device 531098'
  13. To verify if "MFA Delete" and "Versioning" of the selected "CloudTrail bucket" is enabled. It returns output as Enabled Enabled if "MFA and Versioning" are "Enabled" : aws s3api get-bucket-versioning --bucket shukla00
  14. To list select "CloudTrail bucket" object versions : aws s3api list-object-versions --bucket shukla008
  15. To examine try and delete the S3 object version without "MFA" token : aws s3api delete-object --bucket shukla008 --version-id "HBU7m.mOKZhxuXXDl5Y9c1Iu6.XWQkxu" --key demo.txt
  16. MFA Delete is enabled on selected "CloudTrail bucket".