Enable Access Logging for App Mesh Virtual Gateways

Risk Level: Medium (should be achieved)

Ensure that Access Logging is enabled and configured for all your Amazon App Mesh virtual gateways. To enable the feature, configure the file path to write access logs to, within the virtual gateway configuration settings. You can use /dev/stdout to send access logs to standard out and configure your Envoy proxy container to use a log driver, such as "awslogs", to export the access logs to a log storage cloud service such as Amazon CloudWatch Logs. You can also specify a path in the Envoy proxy container's file system to write the log files to disk.

Security

The Access Logging feature lets you track application mesh user access, helps you meet compliance regulations, and provide evidence for security audits and investigations. For example, the logging data can be used to analyze traffic patterns in order to detect different types of attacks and help you implement custom protection plans.

Audit

To determine if Access Logging feature is enabled for your App Mesh virtual gateways, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon App Mesh console at https://console.aws.amazon.com/appmesh/.

03 In the navigation panel, under AWS App Mesh, choose Meshes.

04 Click on the name of the service mesh that you want to access, available in the Mesh name column.

05 In the left navigation panel, under the name of the selected service mesh, choose Virtual gateways.

06 Click on the name of the App Mesh virtual gateway that you want to examine.

07 Select the Details tab and check the file path configured for the Logging File Path attribute. If there is no file path configured for Logging File Path, the selected Amazon App Mesh virtual gateway is not configured to capture access logs.

08 Repeat steps no. 6 and 7 for each App Mesh virtual gateway created for the selected service mesh.

09 Repeat steps no. 4 – 8 for each App Mesh service mesh deployed within the current AWS cloud region.

10 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-meshes command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon App Mesh service meshes deployed in the selected AWS cloud region:

aws appmesh list-meshes
  --region us-east-1
  --query 'meshes[*].meshName'

02 The command output should return an array with the requested mesh name(s):

[
  "cc-production-app-mesh",
  "cc-development-app-mesh"
]

03 Run list-virtual-gateways command (OSX/Linux/UNIX) using the name of the App Mesh service mesh that you want to examine as the identifier parameter and custom query filters to describe the name of each virtual gateway created for the selected service mesh:

aws appmesh list-virtual-gateways
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --query 'virtualGateways[*].virtualGatewayName'

04 The command output should return an array with the requested virtual gateway name(s):

[
  "cc-prod-mesh-virtual-gateway",
  "cc-test-mesh-virtual-gateway"
]

05 Run describe-virtual-gateway command (OSX/Linux/UNIX) using the name of the App Mesh virtual gateway that you want to examine as the identifier parameter, to describe the file path to write access logs to, configured for the selected virtual gateway:

aws appmesh describe-virtual-gateway
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --virtual-gateway-name cc-prod-mesh-virtual-gateway
  --query 'virtualGateway.spec.logging.accessLog.file.path'

06 The command output should return the access logs file path:

null

If the describe-virtual-gateway command output returns null, there is no file path defined for access logs, therefore the selected Amazon App Mesh virtual gateway is not configured to capture access logs.

07 Repeat steps no. 5 and 6 for each App Mesh virtual gateway created for the selected service mesh.

08 Repeat steps no. 3 – 7 for each App Mesh service mesh deployed in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the audit process for other regions.

Remediation / Resolution

To enable and configure Access Logging for all your Amazon App Mesh virtual gateways, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon App Mesh console at https://console.aws.amazon.com/appmesh/.

03 In the navigation panel, under AWS App Mesh, choose Meshes.

04 Click on the name of the service mesh that you want to access, available in the Mesh name column.

05 In the left navigation panel, under the name of the selected service mesh, choose Virtual gateways.

06 Click on the name of the App Mesh virtual gateway that you want to reconfigure.

07 Click on the Edit button from the console top menu to update the selected virtual gateway configuration.

08 In the Virtual gateway configuration section, expand the Logging panel, and enter the file path to send logging information into the HTTP access logs path box. Logs must still be ingested by an agent within your application and sent to a destination. This file path only instructs Envoy where to send the access logs. Amazon App Mesh recommends using the /dev/stdout path so that you can use Docker log drivers to export your Envoy logs to a service such as Amazon CloudWatch Logs. Choose Save to apply the changes.

09 Repeat steps no. 6 – 8 for each App Mesh virtual gateway that you want to reconfigure, created for the selected service mesh.

10 Repeat steps no. 4 – 9 for each App Mesh service mesh deployed within the current AWS cloud region.

11 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-virtual-gateway command (OSX/Linux/UNIX) using the name of the Amazon App Mesh virtual gateway that you want to examine as the identifier parameter and custom query filters to describe the configuration specifications available for the selected virtual gateway:

aws appmesh describe-virtual-gateway
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --virtual-gateway-name cc-prod-mesh-virtual-gateway
  --query 'virtualGateway.spec'

02 The command output should return the requested virtual gateway specifications:

{
  "backendDefaults": {
    "clientPolicy": {}
  },
  "listeners": [
    {
      "portMapping": {
        "port": 80,
        "protocol": "http"
      }
    }
  ],
  "logging": {}
}

03 Modify the virtual gateway specifications returned at the previous step to include the file path to write access logs to (highlighted). The access logs file path used in the following example is /dev/stdout. Save the following document to a JSON file named virtual-gateway-logging-specs.json:

{
  "backendDefaults": {
    "clientPolicy": {}
  },
  "listeners": [
    {
      "portMapping": {
        "port": 80,
        "protocol": "http"
      }
    }
  ],
  "logging": {
    "accessLog": {
      "file": {
        "path": "/dev/stdout"
      }
    }
  }
}

04 Run update-virtual-gateway command (OSX/Linux/UNIX) to enable access logs for the specified Amazon App Mesh virtual gateway, using the configuration specifications defined at the previous step (i.e. virtual-gateway-logging-specs.json):

aws appmesh update-virtual-gateway
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --virtual-gateway-name cc-prod-mesh-virtual-gateway
  --spec file://virtual-gateway-logging-specs.json

05 The command output should return the metadata available for the reconfigured virtual gateway:

{
  "virtualGateway": {
    "meshName": "cc-production-app-mesh",
    "metadata": {
      "arn": "arn:aws:appmesh:us-east-1:123456789012:mesh/cc-production-app-mesh/virtualGateway/cc-prod-mesh-virtual-gateway",
      "createdAt": "2021-01-28T10:00:00.000000+00:00",
      "lastUpdatedAt": "2021-01-28T18:00:00.000000+00:00",
      "meshOwner": "123456789012",
      "resourceOwner": "123456789012",
      "uid": "1234abcd-1234-abcd-1234-abcd1234abcd",
      "version": 5
    },
    "spec": {
      "backendDefaults": {
        "clientPolicy": {}
      },
      "listeners": [
        {
          "portMapping": {
            "port": 80,
            "protocol": "http"
          }
        }
      ],
      "logging": {
        "accessLog": {
          "file": {
            "path": "/dev/stdout"
          }
        }
      }
    },
    "status": {
      "status": "ACTIVE"
    },
    "virtualGatewayName": "cc-prod-mesh-virtual-gateway"
  }
}

06 Repeat steps no. 1 – 5 for each App Mesh virtual gateway that you want to reconfigure, created for the specified service mesh.

07 Repeat steps no. 1 – 6 for each App Mesh service mesh deployed in the selected AWS cloud region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
appmesh
list-meshes
list-virtual-gateways
describe-virtual-gateway
update-virtual-gateway

Envoy Proxy Documentation
Access Logs

Publication date Feb 6, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Access Logging for App Mesh Virtual Gateways

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related AppMesh rules