Description:
CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.
Rationale:
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.
Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:
Properties
pane, click the Permissions
tab.Everyone
or Any Authenticated User
Everyone
or Any Authenticated User
(click x
to delete the row).Save
to save the ACL.Edit bucket policy
button is present, click it.Statement
having an Effect
set to Allow
and a Principal
set to "*" or {"AWS" : "*"}.