copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard

Published 20 hours ago verified publisher icon aws

Pipeline s3 bucket doesn't have server access logging enabled

Open gabelton opened this issue 1 year ago • 5 comments

Similar to this issue (thanks again for sorting so quickly), a pen test highlighted that the bucket created by copilot pipeline init doesn't have server access logging enabled. Is this by design?

gabelton avatar Oct 18 '23 10:10 gabelton

Hello @gabelton 👋

Can you explain me your use case of server access logging for PipelineArtifactBucket. Do you want to store the access logs to another S3 bucket(target).

KollaAdithya avatar Oct 18 '23 18:10 KollaAdithya

We can push back on the security recommendation, but currently when we create an s3 env addon, we also create a separate logging bucket and store access logs there. Ideally we'd do something similar for this artifact bucket too, in order to be compliant

gabelton avatar Oct 19 '23 10:10 gabelton

I can see some of the security concerns mentioned in this doc.

Access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.

Ask:

Store access logs(includes all the requests made on S3) of PipelineArtifactBucket to target S3 bucket(create a new S3 bucket to store these logs).

Link to doc to enable server logs: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html

KollaAdithya avatar Oct 19 '23 20:10 KollaAdithya

This has also been highlighted in a pen test on a project I'm working on.

misaka avatar Jan 09 '24 00:01 misaka

Hi again, @KollaAdithya

I don't suppose you have any rough idea of when we might expect to see this enhancement added? Our cyber team are asking

gabelton avatar Mar 05 '24 13:03 gabelton