Changes to Rules object-level logging for S3 buckets
On 15 May 2023, a change will be released for the listed Rules that check if object-level logging is enabled for S3 buckets.
Currently, S3 buckets in Stax-managed member accounts will fail the check even when the required CloudTrail S3 data event logging is enabled, because Stax follows AWS best practices and configures CloudTrail at the Organization-level, not within every individual member account.
After the change, this Rule will detect when S3 data event logging is enabled on CloudTrail trails configured in member accounts as well as when configured on Organization-level CloudTrail trails.
| Bundle Name | Rule Name |
| Organization Bundle/catalog | Ensure that Object-level logging for write events is enabled for S3 bucket Ensure that Object-level logging for read events is enabled for S3 bucket |
| CIS Benchmark v1.3.0, v1.4.0 & v1.5.0 | CIS 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket CIS 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket |
By default, Stax does not configure S3 object-level logging for Stax-managed accounts. An S3 bucket with a high workload could quickly generate thousands of logs in a short amount of time, resulting in increased AWS costs. Find out more about Enabling CloudTrail event logging for S3 buckets and objects.