S3 Bucket does not have logging enabled.

Explanation

Buckets should have logging enabled so that access can be audited.

Insecure Example

The following example will fail the AWS002 check.

resource "aws_s3_bucket" "my-bucket" {

}

Secure Example

The following example will pass the AWS002 check.

resource "aws_s3_bucket" "my-bucket" {
	logging {
		target_bucket = "target-bucket"
	}
}

Related Links

• https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket