Muhtashim Ayub
In this video the comments about cloudtrail – around the 4-5minute mark.
What is the point of copying across logs to a bucket for another account and then not being able to read them?
2 Answers
Allan Holmes
Separation of duties, but more importantly the concept of least privileged access. You would replicate the bucket and have it restricted to read only by your security team folks to monitor and audit the logs but no one else for example.
d s
basically, cloudtrail logs can contain sensitive information about your environment
This follows the principle of "Separation-Of-Duties". One process (service, account, microservice) will only write logs but will not be able to READ or DELETE the data. Other App/Service audit specific logs might also exist in that S3 bucket, which shall not be readable anyone who can write there. CloudTrail is used for AUDIT where the data integrity is of paramount importance. If a role has permission to WRITE, READ and DELETE the logs, a principle can potentially assume that role to tamper the logs. This S-o-P is not the case ALWAYS but is the recommended best practice. Certain businesses govern such policies. Another example is a principal having permissions to ONLY encrypt the data using KMS but not having the permission to decrypt it.