I'm diving into the CIS 1.3 requirements and I need to enable all read and write data events for all my S3 buckets using CloudTrail. My thought was to enable data events at the organization level trail for simplicity, but I'm worried this might create a logging loop since CloudTrail would be trying to log its own bucket's data. Is this a valid concern, or am I just overthinking it?
1 Answer
Yes, the logging loop is definitely something to be concerned about. Make sure you have AWS Budget and Cost Alerts set up because logging every single S3 access from every bucket can lead to super high costs. I've seen cases where companies got hit with $70K bills just for logging everything in a bucket that wasn't even sensitive. It's crucial to have a clear discussion with your security team about which S3 buckets genuinely need logging and which ones can be excluded to avoid unnecessary expenses.
That’s true! It’s frustrating that the Security Hub control is account-level, and you can’t skip buckets easily. I wish there was more chatter about this.