Cloudwatch Logs and S3 bucket policy best practices to limit access?

Hello! I was just curious if there are any best practices related to creating a tight S3 bucket policy so the ability to put logs in the logging bucket is restricted only to the 'SourceAccount'.

Example I am reviewing some bucket policies with the following -

SourceAccount SourceArn {StringEquals:{aws:SourceAccount:AWSACCOUNT#} StringEquals:{aws:SourceArn:arn:aws:cur:us-east-1:AWSACCOUNT#:definition/}}*

And other logging buckets are like this -

SourceAccount PutIfAclBuckOwn {StringEquals:{AWS:SourceAccount:AWSACCOUNT#} StringEquals:{s3:x-amz-acl:bucket-owner-full-control}}

I am confused in the difference in how the buckets are setup and/or if one example is a better method than the other. These are all buckets setup for AWS Config results.

Topics

Management & Governance

Tags

AWS Command Line Interface Amazon CloudWatch Logs

Language

English

rePost-User-0313018

asked a month ago80 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Here are a few best practices for creating a tight S3 bucket policy to restrict putting logs to only the source account:

Use the aws:SourceAccount and aws:SourceArn global condition context keys to restrict access to only your account. This is better than using s3:x-amz-acl conditions.
Lock down the permissions to only allow PutObject actions, not other S3 actions like deleting objects.
Use Deny statements with NotPrincipal after Allow to explicitly deny access to other accounts.
Use resource policies not bucket ACLs to control access. Bucket policies allow more fine-grained control.
Use IAM roles for EC2 instances or Lambda functions that need to put logs rather than making the bucket public. Grant permissions to the role, not the bucket.
Rotate credentials regularly if applications need direct access. Don't hardcode AWS keys in apps.
Enable MFA delete to prevent accidental bucket deletion.

So in summary, the first example using aws:SourceAccount and aws:SourceArn is better than the second example. The second allows anyone with full control ACL to write, which is too broad. Restricting by source account and ARN is more secure.

AWS-User-4970074

answered a month ago

Relevant content

Best practice for cross account S3 bucket access
rePost-User-7745098
asked a year ago
S3 bucket policy to allow CloudFront logging
Accepted Answer
newbie
asked 2 years ago
S3 access policy Limit PUT function
ghosham
asked 2 years ago
Bucket policy for putting NLB access logs
Abhinav Chauhan
asked 6 months ago
Can I push server access logs about an Amazon S3 bucket into the same bucket?
AWS OFFICIALUpdated 10 months ago
What are the best practices to secure my AWS account and its resources?
AWS OFFICIALUpdated 6 days ago
When I activate default encryption on my Amazon S3 bucket, do I need to update my bucket policy so that objects in the bucket are encrypted?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot CloudWatch logs that fail to export to S3 buckets?
AWS OFFICIALUpdated 2 months ago
How can I send AWS WAF log to both CloudWatch logs and S3?
EXPERT
Lei Pei
published 2 months ago
Best Practices for Distributors in delegating and restricting access privileges to downstream partners
EXPERT
Tong Jun Qun
published 2 years ago