S3 server access logging was disabled
ID:aws_s3_logging_disabled
Data type:AWS CloudTrail
Severity:
Informational
MITRE ATT&CK:TA0005:T1562.008
Description
AlphaSOC detected that S3 server access logging has been disabled for an AWS S3 bucket. S3 server access logging provides records of requests made to a bucket, which is critical for security monitoring.
Impact
Disabling this feature may indicate an attempt to conceal malicious activity or unauthorized access to the bucket.
Severity
Severity | Condition |
---|---|
Informational | S3 server access logging was disabled |
Investigation and Remediation
Determine why and who disabled the S3 server access logging. Review AWS CloudTrail logs to identify the user or IAM role responsible. Re-enable S3 server access logging and analyze recent bucket activity for any suspicious actions that may have occurred while logging was disabled. Review and strengthen IAM policies to prevent unauthorized changes to logging settings.
Known False Positives
- Logging intentionally disabled