Enable Server-Side Logging on S3 Buckets Using AWS Config Rules

HemanthKumar R

2024.07.02

 IntroductionHello, this is Hemanth from the Alliance Department. In this blog, I will demonstrate how to Enable Server Side Logging on S3 Bucket by using AWS Config to Impose Rules. The aim this time is to enhance your understanding of AWS Config, S3, and how to automate compliance and logging.
 AWSIs a secure cloud service platform that offers compute power, database storage, content delivery, network, and other functionality to help businesses scale and grow. It is one of the first cloud vendors to start services in the year 2006. It offers all the 3 service models namely IAAS, PAAS, and SAAS. Some of the notable domains in AWS are Compute, Migration, Storage, Network and Content Delivery, Management Tools, Database, Messaging, Security and Identity Compliance, and many more.
 Systems ManagerThe all-inclusive management service AWS Systems Manager is meant to give you insight and control over your AWS infrastructure. It streamlines administrative duties like monitoring, system configuration, resource management, and application deployment. Systems Manager collects information from several AWS services to assist you in keeping your resources operating and compliant.
 AWS ConfigAWS Config is a service that keeps track of and logs how AWS resources are configured. It also offers compliance checks and a history view. It makes use of Conformance Packs for standardized compliance and Config Rules to compare resource settings to intended rules. To guarantee that your resources adhere to legal standards and best practices, AWS Config additionally provides real-time monitoring and repair options. It improves visibility, compliance, and operational efficiency while supporting an extensive array of AWS services.
 Demo Create an S3 BucketOpen the AWS Management Console and search for S3. Click on Create Bucket.

Provide a unique bucket name and ensure that ACLs are turned on.

Leave other settings as default and click on Create Bucket.

 Configure Bucket PermissionsInside the bucket, go to the Permissions tab and edit the Access Control List (ACL).

Tick the Log Delivery group checkbox and click Save.

 Set Up AWS Config RuleGo to the AWS Management Console, search for Config and click on Rules.

Click on Add Rule.

Select AWS Managed Rule and search for s3-bucket-logging-enabled and click next.

Enter the bucket name and prefix in the Parameters section, and then add others as below.

Rule has been created.

After a few minutes, check the rule to see the compliance status of your buckets.

 Automate Logging with AWS Systems ManagerIn the console, search for Systems Manager and navigate to Automation.

Click Execute Automation.

Search for AWS-ConfigureS3BucketLogging, select and click next

In Input parameters, provide the parameters such as bucket name, permissions, grantee type, and target bucket and others as below

Click Execute.

Verify the server access logging is enabled by checking the S3 bucket properties.

Return to AWS Config to confirm the bucket is now compliant.

 ConclusionThese instructions will allow you to use AWS Config to enforce this setup and successfully enable server-side logging on your S3 buckets. This automation improves visibility and security for your S3 resources while also guaranteeing compliance. Keeping your AWS environment compliant and operationally efficient can be achieved by integrating AWS Config and Systems Manager into your workflow.