Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ELB Access Log

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ELB-009

Ensure that your Amazon Classic Load Balancers have the Access Logging feature enabled for security, troubleshooting, and audit purposes.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Sustainability

After you enable and configure access logging for your Classic Load Balancers, the log files will be delivered to the S3 bucket of your choice. The log files contain data about each HTTP(S) request processed by the load balancer, data that can be extremely useful for analyzing traffic patterns, implementing protection plans, and identifying and troubleshooting security issues.

Audit

To determine if access logging is enabled for your Classic Load Balancers, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Amazon Classic Load Balancer that you want to examine.

06 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

07 In the Attributes section, check the Access logs feature status. If the feature status is set to Disabled, access logging is not enabled for the selected Amazon Classic Load Balancer.

08 Repeat steps no. 5 – 7 for each Classic Load Balancer provisioned within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region: 

aws elb describe-load-balancers
  --region us-east-1
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

02 The command output should return an array with the requested load balancer name(s): 

[
    "cc-frontend-load-balancer",
    "cc-project5-load-balancer"
]

03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as the identifier parameter and custom query filters to get the Access Logging feature status available for the selected load balancer: 

aws elb describe-load-balancer-attributes
  --load-balancer-name cc-frontend-load-balancer
  --query 'LoadBalancerAttributes.AccessLog.Enabled'

04 The command output should return the requested feature status (true for enabled, false for disabled): 

false

If the describe-load-balancer-attributes command output returns false, as shown in the output example above, the Access Logging feature is not enabled for the selected Amazon Classic Load Balancer.

05 Repeat steps no. 3 and 4 for each Classic Load Balancer provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable access logging for your Amazon Classic Load Balancers, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable Access Logging for Classic Load Balancers",
  "Resources": {
    "ClassicLoadBalancer": {
      "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties" : {
        "LoadBalancerName" : "cc-frontend-load-balancer",
        "Scheme" : "internet-facing",
        "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
        "Subnets" : [ "subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd" ],
        "Instances" : [ "i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd" ],
        "Listeners": [{
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "80",
            "Protocol": "HTTP",
            "PolicyNames": []
        }],
        "HealthCheck": {
            "Target": "HTTP:80/index.html",
            "HealthyThreshold": "10",
            "UnhealthyThreshold": "2",
            "Interval": "50",
            "Timeout": "5"
        },
        "AccessLoggingPolicy" : {
            "Enabled" : true,
            "EmitInterval" : 60,
            "S3BucketName" : "cc-load-balancer-logging"
        }
      }
    }
  }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Access Logging for Classic Load Balancers
Resources:
  ClassicLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      LoadBalancerName: cc-frontend-load-balancer
      Scheme: internet-facing
      SecurityGroups:
        - sg-0abcdabcdabcdabcd
      Subnets:
        - subnet-0abcd1234abcd1234
        - subnet-0abcdabcdabcdabcd
        - subnet-01234abcd1234abcd
      Instances:
        - i-0abcd1234abcd1234
        - i-0abcdabcdabcdabcd
      Listeners:
        - InstancePort: '80'
          InstanceProtocol: HTTP
          LoadBalancerPort: '80'
          Protocol: HTTP
          PolicyNames: []
      HealthCheck:
        Target: HTTP:80/index.html
        HealthyThreshold: '10'
        UnhealthyThreshold: '2'
        Interval: '50'
        Timeout: '5'
      AccessLoggingPolicy:
        Enabled: true
        EmitInterval: 60
        S3BucketName: cc-load-balancer-logging

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_elb" "classic-load-balancer" {
  name               = "cc-frontend-load-balancer"
  internal           = false
  security_groups    = ["sg-0abcdabcdabcdabcd"]
  subnets            = ["subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd"]
  instances          = ["i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd"]

  listener {
    instance_port     = 80
    instance_protocol = "http"
    lb_port           = 80
    lb_protocol       = "http"
  }

  health_check {
    healthy_threshold   = 10
    unhealthy_threshold = 2
    timeout             = 5
    target              = "HTTP:80/index.html"
    interval            = 50
  }

  # Enable Access Logging for Classic Load Balancers
  access_logs {
    bucket      = "cc-load-balancer-logging"
    interval    = 60
  }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Amazon Classic Load Balancer that you want to reconfigure.

06 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

07 In the Attributes section, choose Configure access logs next to Access logs to modify the feature configuration.

08 In the Configure access logs box, perform the following actions:

  1. Select the Enable access logs checkbox to enable access logging.
  2. For Interval, set the minutes between deliveries of access logs.
  3. For S3 location, enter a unique name and a prefix (optional) for the S3 bucket that will store the log files (e.g. logging-bucket/prefix).
  4. Select the Create this location for me checkbox to enable Amazon S3 to create the new bucket for you. If you don’t request this option, you must provide the name of an existing S3 bucket available in the same AWS region with the selected load balancer.
  5. Choose Save to apply the changes and return to the Amazon EC2 console. This will enable the Access Logging feature for the selected Classic Load Balancer.

09 Repeat steps no. 5 – 8 for each Classic Load Balancer that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the target bucket required for the Access Logging feature storage: 

aws s3api create-bucket
  --bucket cc-load-balancer-logging
  --region us-east-1
  --acl private

02 The command output should return the name of the newly created S3 bucket: 

{
  "Location": "/cc-load-balancer-logging"
}

03 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output): 

aws s3api put-public-access-block
  --region us-east-1
  --bucket cc-load-balancer-logging
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

04 Define the access policy that grants your Classic Load Balancer the permission to write to the newly created S3 bucket. Paste the following policy document to a JSON file named access-logging-policy.json and replace the highlighted details (bucket name and Principal) with your own details: 

{
  "Id": "Access-Logging-Policy",
  "Version": "2012-10-17",
  "Statement": [
    {
     "Action": [
       "s3:PutObject"
     ],
     "Effect": "Allow",
     "Resource": "arn:aws:s3:::cc-load-balancer-logging/*",
     "Principal": {
       "AWS": [
         "arn:aws:iam::123456789012:root"
        ]
      }
    }
  ]
}

05 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the access policy defined at the previous step (i.e. access-logging-policy.json) to the newly created S3 bucket: 

aws s3api put-bucket-policy
  --bucket cc-load-balancer-logging
  --policy file://access-logging-policy.json

06 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to reconfigure as the identifier parameter, to enable the Access Logging feature for the selected load balancer: 

aws elb modify-load-balancer-attributes
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --load-balancer-attributes "{\"AccessLog\":{\"Enabled\":true,\"EmitInterval\":60,\"S3BucketName\":\"cc-load-balancer-logging\"}}"

07 The command output should return the configuration attributes available for the modified load balancer: 

{
  "LoadBalancerAttributes": {
      "CrossZoneLoadBalancing": {
          "Enabled": true
      },
      "AccessLog": {
          "Enabled": true,
          "S3BucketName": "cc-load-balancer-logging",
          "EmitInterval": 60
      },
      "ConnectionDraining": {
          "Enabled": true,
          "Timeout": 300
      },
      "ConnectionSettings": {
          "IdleTimeout": 60
      },
      "AdditionalAttributes": [
          {
              "Key": "elb.http.desyncmitigationmode",
              "Value": "defensive"
          }
      ]
  }
}

08 Repeat steps no. 6 and 7 for each Classic Load Balancer that you want to reconfigure, available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 28, 2016

Related ELB rules