CloudTrail.6: The CloudTrail log bucket is publicly accessible

What does AWS Security Hub CloudTrail.6 check?

CloudTrail.6 fails when the S3 bucket holding CloudTrail logs is publicly accessible — readable or writable by anonymous or any-AWS principals through account or bucket Block Public Access settings, the bucket policy, or a legacy ACL.

Why does CloudTrail.6 matter?

The CloudTrail bucket is your account's full audit history, and its name usually follows the predictable aws-cloudtrail-logs-<account-id>-<random> pattern — so an attacker doesn't even need to discover it, just guess and try an anonymous GET. A public read leaks every API call you've made; a public write lets an intruder destroy the evidence. Either way the bucket that's supposed to catch attackers becomes a gift to them.

How do I fix CloudTrail.6?

1. Enable account-level S3 Block Public Access and bucket-level Block Public Access on the trail bucket.
2. Remove any bucket-policy statement or ACL that grants access to AllUsers or AuthenticatedUsers.
3. Re-audit the four layers (account BPA, bucket BPA, policy, ACL) to confirm none still grants public access.
4. For a centralised log bucket, scope the policy to only the specific accounts that must deliver to it.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'