S3 Server Access Log Bucket Policy
In the last post we deployed a CloudTrail bucket policy. I showed you some differences between the documentation and the bucket policy deployed by AWS Control Tower.
S3 Bucket Policy for an Organization CloudTrail Bucket
ACM.198 Formulating the code for our Organization CloudTrail Bucket
We’re going to need to add an S3 bucket policy to the AWS S3 server access log bucket per the documentation. Even though the console seemed to indicate one would be added the policy was empty as I explained in the post where we created the bucket. We’ll add a policy ourselves the same way we did for our CloudTrail bucket. Once again, I will compare the documentation to what got deployed by CloudTrail.
Here’s the documentation with a sample policy.
Out of curiosity, I once again am going to take a look at the policy created by AWS Control Tower for the Server Access Log bucket associated with that AWS organization CloudTrail bucket.
Hmmmmm. That doesn’t match at all. Public access is blocked on this bucket which is good. But who can write to it? The only statement in this policy is a Deny statement enforcing the use of TLS for transport.
Recall my post on who owns the objects in an S3 bucket.