Server access logging records the requests that are made to S3 buckets and this allow to track who is doing what on S3 buckets.

When server access logging is deactivated, infrastructure administrators are blind and can’t answer to any regulatory requests.

Ask Yourself Whether

• The infrastructure requires security monitoring, to comply to some regulations or not.
• There is a need to understand what objects are requested by S3 customers.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to enable S3 server access logs.

Sensitive Code Example

S3 server access logging is disabled:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Noncompliant
    Properties:
      BucketName: "mynoncompliantbucket"

Compliant Solution

S3 server access logging is enabled:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3BucketLogs:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "mycompliantloggingbucket"
      AccessControl: LogDeliveryWrite

  S3Bucket:
    Type: 'AWS::S3::Bucket' # Compliant
    Properties:
      BucketName: "mycompliantbucket"
      LoggingConfiguration:
        DestinationBucketName: !Ref S3BucketLogs
        LogFilePrefix: testing-logs

See

• AWS Documentation - Logging requests using server access logging
• MITRE, CWE-778 - Insufficient Logging
• OWASP Top 10 2017 Category A10 - Insufficient Logging and Monitoring