Aws Log Delivery Write Access
Description
Checks if S3 buckets configured as logging targets have the required permissions to allow AWS Log Delivery service to write logs. Incorrect permissions on logging target buckets can prevent S3 access logs from being delivered, resulting in loss of audit trail and compliance violations.
Detection Strategy
• Scan identifies all S3 buckets in the account
• For each bucket with logging enabled, check if it's configured as a target bucket for another bucket's logs
• If the bucket is a logging target, verify the bucket ACL includes WRITE, WRITE_ACP, or FULL_CONTROL permissions for the AWS Log Delivery service group (http://acs.amazonaws.com/groups/s3/LogDelivery)
• Report a vulnerability if a logging target bucket lacks the required Log Delivery service permissions
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.