Logo of Trend Micro

ELB Access Log

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ELB-009

Ensure that your AWS Elastic Load Balancers use access logging to analyze traffic patterns and identify and troubleshoot security issues.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Enabling this feature will allow your ELB to record and save information about each TCP and HTTP request made for your backend instances. The access logging data can be extremely useful for security audits and troubleshooting sessions. For example your ELB logging data can be used to analyze traffic patterns in order to detect different types of attacks and help implementing custom protection plans.

Audit

To determine if the access logging is enabled for your load balancers, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the Elastic Load Balancer that you want to examine.

05 Select the Description tab from the bottom panel and check the Access Logs status:

Select the Description tab from the bottom panel and check the Access Logs status

If the current status is Disabled, the feature is disabled for the selected ELB.

06 Repeat step no. 4 and 5 for each load balancer available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) to check if access logging is enabled for the selected ELB. The following example return the attributes metadata for an ELB called MyWebELB: 

aws elb describe-load-balancer-attributes
	--region us-east-1
	--load-balancer-name MyWebELB

02 The command output should expose the ELB access logging status. If the AccessLog Enabled value is false, the feature is not enabled. 

{
    "LoadBalancerAttributes": {
        "ConnectionDraining": {
            "Enabled": true,
            "Timeout": 300
        },
        "CrossZoneLoadBalancing": {
            "Enabled": true
        },
        "ConnectionSettings": {
            "IdleTimeout": 60
        },
        "AccessLog": {
            "Enabled": false
        }
    }
}

03 Repeat step no. 1 for each load balancer available in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To enable access logging for your ELBs, you need to perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the Elastic Load Balancer that you want to update.

05 Select the Description tab from the bottom panel and click Edit next to the Access Logs status.

06 In the Configure Access Logs dialog box, set the following:

  1. Check Enable Access Logs checkbox to enable the feature.
  2. For Interval, select the time interval between deliveries of the logging files to S3 bucket.
  3. For S3 Location, enter a name and a prefix (e.g. elb-logging-bucket/webapp) for the S3 bucket that will store the log files. Check Create the location for me to enable AWS to create the new bucket for you. If you don’t request this option, you must provide the name of an existing bucket available in the same region with the load balancer.

07 Click Save to apply the changes. The Access Logs status value should change now to Enabled:

Access Logs status value should change now to Enabled

08 Repeat step no. 4 – 7 for each load balancer available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the S3 bucket that will store the ELB log files (note that the bucket must be created in the same AWS region with the ELB): 

aws s3api create-bucket
	--region us-east-1
	--bucket elb-logging-bucket

02 Now create a policy that grants the ELB permission to write to the newly created bucket. Make a new policy document called elb-access-logging-policy.json and paste the following (replace the highlighted details with your details or use AWS Policy Generator - http://awspolicygen.s3.amazonaws.com/policygen.html, to create your own policy): 

{
  "Id": "ELB-Access-Logging-Policy",
  "Version": "2012-10-17",
  "Statement": [
    {
     "Sid": "Stmt1891778271523",
     "Action": [
       "s3:PutObject"
     ],
     "Effect": "Allow",
     "Resource":"arn:aws:s3:::elb-logging-bucket/AWSLogs/123456789012/*",
     "Principal": {
       "AWS": [
         "127311923021"
        ]
      }
    }
  ]
}

03 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the policy document saved in the elb-access-logging-policy.json file to the elb-logging-bucket S3 bucket: 

aws s3api put-bucket-policy
	--bucket elb-logging-bucket
	--policy file://elb-access-logging-policy.json

04 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) to enable access logging for the selected Elastic Load Balancer: 

aws elb modify-load-balancer-attributes
	--region us-east-1
	--load-balancer-name MyWebELB
	--load-balancer-attributes
	"{\"AccessLog\":{\"Enabled\":true,\"EmitInterval\":60,\"S3BucketName\":\"elb-logging-bucket\"}}"

05 The command output should return the new configuration metadata for the load balancer access logging: 

{
    "LoadBalancerAttributes": {
        "AccessLog": {
            "EmitInterval": 60,
            "Enabled": true,
            "S3BucketName": "elb-logging-bucket"
        }
    },
    "LoadBalancerName": "MyWebELB"
}

References

Publication date Apr 28, 2016

Related ELB rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

ELB Access Log

Risk level: Medium