CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.
Perform the following to remove any public access that has been granted to the bucket via
an ACL or S3 bucket policy:
By default, S3 buckets are not publicly accessible“