Query: Ensure the S3 bucket CloudTrail logs to is not publicly accessible

Description

CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy, or access control list (ACL), be applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.

Query

Tables used in this query:

• aws_cloudtrail_trail
• aws_s3_bucket

Controls using this query:

• 2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
• 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
• 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
• 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
• 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
• Ensure the S3 bucket CloudTrail logs to is not publicly accessible

SQL