CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.
Recommended Mitigation
Make sure your S3 buckets used to store Cloudtrail Logs are configured with Block Public Access enabled
Data protection
