S3 Server Access Log Bucket Policy

ACM.200 Revisiting default AWS S3 ACLs that still exist

Teri Radichel
6 min readApr 22


Part of my series on Automating Cybersecurity Metrics and stories on AWS S3 Buckets. The Code.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

In the last post we deployed a CloudTrail bucket policy. I showed you some differences between the documentation and the bucket policy deployed by AWS Control Tower.

We’re going to need to add an S3 bucket policy to the AWS S3 server access log bucket per the documentation. Even though the console seemed to indicate one would be added the policy was empty as I explained in the post where we created the bucket. We’ll add a policy ourselves the same way we did for our CloudTrail bucket. Once again, I will compare the documentation to what got deployed by CloudTrail.

Here’s the documentation with a sample policy.

Out of curiosity, I once again am going to take a look at the policy created by AWS Control Tower for the Server Access Log bucket associated with that AWS organization CloudTrail bucket.

Hmmmmm. That doesn’t match at all. Public access is blocked on this bucket which is good. But who can write to it? The only statement in this policy is a Deny statement enforcing the use of TLS for transport.

Recall my post on who owns the objects in an S3 bucket.



Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN, etc. | AWS Hero | IANS Faculty | 2ndSightLab.com

Recommended from Medium


See more recommendations