Patch 417

en/aws/cloudtrail/cloudtrail-bucket-private.md

@@ -15,16 +15,18 @@
 | **Recommended Action** | Set the S3 bucket access policy for all CloudTrail buckets to only allow known users to access its files. |
 
 ## Detailed Remediation Steps
-1. Log into the AWS Management Console.
+1. Log in to the AWS Management Console.
 2. Select the "Services" option and search for "CloudTrail".</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step2.png"/>
-3. In the "Dashboard" panel click on "View trails" button.</br> <img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step3.png"/>
-4. Select the "trail" that needs to be verified under "Name" column.</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step4.png"/>
+3. In the "Dashboard" panel click on the desired trail from the list under "Trails" to get to its configuration page.</br> <img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step3.png"/>
+4. Click on "Edit" under "General details".</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step4.png"/>
 5. Scroll down and under the "Storage location" option check the S3 bucket used to store log data.</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step5.png"/>
 6. Go to "Services" and search for "S3" to go into S3 buckets dashboard.</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step6.png"/>
-7. Select the "S3 bucket" used to store data log in CloudTrail and check the "Access" option. If "Access" shows "Public" than bucket is publicly accessible </br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step7.png"/>
-8. Click on "Edit Public Access Settings" to configure the S3 Bucket access. </br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step8.png"/>
-9. Click on the checkboxes shown under "Manage public Access control lists (ACLs)" and "Manage public bucket policies" to make the S3 bucket private.</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step9.png"/>
-10. Select the "S3 bucket" used by CloudTrail and click on "Permissions" tab.</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step10.png"/>
-11. Select the "Access Control List" from the menu and search for any group with the name "Everyone" and make sure this group has no checkboxes enabled. If this group has one or more checkboxes enabled than the selected S3 bucket is publicly accessible. </br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step11.png"/>
-12. Check the "Access for other AWS accounts" on the selected S3 bucket for known users.</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step12.png"/>
-13. S3 buckets access policy for all "CloudTrail buckets" have access allow only to known users now. 
+7. Select the "S3 bucket" used to store data log in CloudTrail and check the "Access" option. If "Access" shows "Objects can be public" than bucket is publicly accessible </br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step7.png"/>
+8. Click on the Bucket name to get into its configuration page. </br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step8.png"/>
+9. Click on the "Permissions" tab and scroll down to "Block public access (bucket settings)" and click "Edit".</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step9.png"/>
+10. Select the checkbox "Block all public access" shown under "Block public access (bucket settings)" to make the S3 bucket private.</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step10.png"/>
+11. Click on "save changes" to save the settings.</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step11.png"/>
+12. On the permissions tab scroll down to "Access control list (ACL) to check the access for other AWS accounts on the selected S3 bucket for known users. Click "Edit" to add permissions for accounts as desired.</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step12.png"/>
+13. On the "Edit access control list (ACL)" page click on "Add grantee" button to grant acess to other AWS accounts as desired.</br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step13.png"/>
+14. Under "Access for other AWS accounts" paste the Canonical ID of the desired AWS account and check desired permissions. Review and click "Save changes". </br><img src="/resources/aws/cloudtrail/cloudtrail-bucket-private/step14.png"/>
+15. Repeat steps 4 to 14 for all other Cloudtrail trails.