Skip to main content
emnode / learn
Compliance Low severity

AWS Security Hub · CloudTrail

CloudTrail.7: Enable access logging on the CloudTrail S3 bucket

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub CloudTrail.7 check?

CloudTrail.7 fails when the S3 bucket storing CloudTrail logs does not have S3 server access logging enabled. This is request-level bucket logging, distinct from CloudTrail's API-level account logging.

Why does CloudTrail.7 matter?

CloudTrail records the API calls in your account, but it doesn't capture every S3 request against the log bucket itself. Server access logging adds that request-level record — who read or attempted to read the audit logs — which is exactly the forensic detail you want if someone goes after the trail. CIS and PCI DSS both expect it on the audit bucket.

How do I fix CloudTrail.7?

  1. Choose or create a separate target bucket for the access logs and harden it.
  2. Grant the S3 log-delivery group write permission on that target bucket.
  3. Enable server access logging on the CloudTrail bucket, pointing it at the target via put-bucket-logging.

Remediation script · bash

# Create one multi-Region trail that satisfies the whole CloudTrail family.
aws cloudtrail create-trail \
  --name org-audit-trail \
  --s3-bucket-name my-cloudtrail-logs-bucket \
  --is-multi-region-trail \
  --include-global-service-events \
  --enable-log-file-validation \
  --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:111122223333:log-group:/aws/cloudtrail/org:* \
  --cloud-watch-logs-role-arn arn:aws:iam::111122223333:role/CloudTrail_CloudWatchLogs_Role

# Capture read AND write management events (not data events, which are billed per event).
aws cloudtrail put-event-selectors --trail-name org-audit-trail \
  --event-selectors ReadWriteType=All,IncludeManagementEvents=true

# Defining the trail does not record anything: start it, then verify it is logging.
aws cloudtrail start-logging --name org-audit-trail
aws cloudtrail get-trail-status --name org-audit-trail --query IsLogging --output text

# For org-wide coverage, recreate with --is-organization-trail from the management
# or delegated-admin account so every member account inherits it automatically.

Full walkthrough (console steps, edge cases and verification) in the lesson Enable CloudTrail and API activity logging.

Is CloudTrail.7 a false positive?

Never point the access logs back at the CloudTrail bucket itself — each delivery is a write that generates another log record, creating a self-referential loop. The target must be a different bucket.

Full lesson Enable CloudTrail and API activity logging Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for CloudTrail controls ↗ Check your own account for CloudTrail.7 →
Part of the learning path See what's happening

More CloudTrail controls

  • CloudTrail.1 No multi-Region trail captures read/write management events
  • CloudTrail.2 CloudTrail logs are not KMS-encrypted
  • CloudTrail.3 No CloudTrail trail is enabled at all
  • CloudTrail.4 CloudTrail log file validation should be enabled
  • CloudTrail.5 CloudTrail is not wired to CloudWatch for alerting
  • CloudTrail.6 The CloudTrail log bucket is publicly accessible
  • CloudTrail.10 CloudTrail Lake stores should use customer-managed KMS