S3 Bucket does not have logging enabled.

Explanation

Buckets should have logging enabled so that access can be audited.

Possible Impact

There is no way to determine the access to this bucket

Suggested Resolution

Add a logging block to the resource to enable access logging

Insecure Example

The following example will fail the AVD-AWS-0092 check.

---
Resources:
  BadExample:
    Properties:
      AccessControl: AuthenticatedRead
    Type: AWS::S3::Bucket

Secure Example

The following example will pass the AVD-AWS-0092 check.

---
Resources:
  GoodExample:
    Properties:
      AccessControl: Private
    Type: AWS::S3::Bucket


Getting Started
Services