Skip to main content

S3 server access logging was disabled

ID:aws_s3_logging_disabled
Data type:AWS CloudTrail
Severity:
Informational
MITRE ATT&CK:TA0005:T1562.008

Description

AlphaSOC detected that S3 server access logging has been disabled for an AWS S3 bucket. S3 server access logging provides records of requests made to a bucket, which is critical for security monitoring.

Impact

Disabling this feature may indicate an attempt to conceal malicious activity or unauthorized access to the bucket.

Severity

SeverityCondition
Informational
S3 server access logging was disabled

Investigation and Remediation

Determine why and who disabled the S3 server access logging. Review AWS CloudTrail logs to identify the user or IAM role responsible. Re-enable S3 server access logging and analyze recent bucket activity for any suspicious actions that may have occurred while logging was disabled. Review and strengthen IAM policies to prevent unauthorized changes to logging settings.

Known False Positives

  • Logging intentionally disabled

Further Reading