S3 Bucket does not have logging enabled TF-AWS002

Buckets should have logging enabled so that access can be audited.

Server access logging provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill. Enable logging by specifying target_bucket and target_prefix in the logging object.

Examples

Bad practice

resource "aws_s3_bucket" "my-bucket" {

}

Recommended

resource "aws_s3_bucket" "my-bucket" {
    logging {
        target_bucket = "target-bucket"
    }
}

References

• https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket