ELBv2 Access Log

Risk Level: Medium (should be achieved)

Rule ID: ELBv2-002

Ensure that your Amazon Application Load Balancers (ALBs) have the Access Logging feature enabled for security, troubleshooting, and audit purposes.

This rule can help you with the following compliance standards:

PCI
GDPR
APRA
MAS
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability

Security

After you enable and configure access logging for your Application Load Balancers (ALBs), the log files will be delivered to the S3 bucket of your choice. The log files contain data about each HTTP/HTTPS request processed by the load balancer, data that can be extremely useful for analyzing traffic patterns, implementing protection plans, and identifying and troubleshooting security issues.

Audit

To determine if access logging is enabled for your Application Load Balancers (ALBs), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to examine.

06 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

07 In the Attributes section, check the Access logs feature status. If the feature status is set to Disabled, access logging is not enabled for the selected Amazon Application Load Balancer (ALB).

08 Repeat steps no. 5 – 7 for each Application Load Balancer provisioned within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Application Load Balancer available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn | []'

02 The command output should return an array with the requested load balancer ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-load-balancer/aaaabbbbccccdddd"
]

03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer that you want to examine as the identifier parameter and custom query filters to get the Access Logging feature status available for the selected load balancer:

aws elbv2 describe-load-balancer-attributes
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd
  --query 'Attributes[?(Key == `access_logs.s3.enabled`)].Value | []'

04 The command output should return the requested feature status (true for enabled, false for disabled):

[
    "false"
]

If the describe-load-balancer-attributes command output returns "false", as shown in the output example above, the Access Logging feature is not enabled for the selected Amazon Application Load Balancer (ALB).

05 Repeat steps no. 3 and 4 for each Application Load Balancer provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable access logging for your Amazon Application Load Balancers (ALBs), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable Access Logging for Application Load Balancers",
  "Resources": {
    "ApplicationLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties" : {
        "Name" : "cc-internet-facing-load-balancer",
        "Type" : "application",
        "Scheme" : "internet-facing",
        "IpAddressType" : "ipv4",
        "SecurityGroups" : [ "sg-0abcd1234abcd1234" ],
        "Subnets" : [ "subnet-0abcdabcdabcdabcd", "subnet-0abcd1234abcd1234" ],
        "LoadBalancerAttributes" : [
          {
            "Key" : "access_logs.s3.enabled",
            "Value" : "true"
          },
          {
            "Key" : "access_logs.s3.bucket",
            "Value" : "cc-alb-access-logs"
          },
          {
            "Key" : "access_logs.s3.prefix",
            "Value" : "webapp"
          }
        ]
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Access Logging for Application Load Balancers
Resources:
  ApplicationLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: cc-internet-facing-load-balancer
      Type: application
      Scheme: internet-facing
      IpAddressType: ipv4
      SecurityGroups:
        - sg-0abcd1234abcd1234
      Subnets:
        - subnet-0abcdabcdabcdabcd
        - subnet-0abcd1234abcd1234
      LoadBalancerAttributes:
        - Key: access_logs.s3.enabled
          Value: 'true'
        - Key: access_logs.s3.bucket
          Value: cc-alb-access-logs
        - Key: access_logs.s3.prefix
          Value: webapp

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
  name               = "cc-internet-facing-load-balancer"
  load_balancer_type = "application"
  internal           = false
  ip_address_type    = "ipv4"
  security_groups    = ["sg-0abcd1234abcd1234"]
  subnets            = ["subnet-0abcdabcdabcdabcd","subnet-0abcd1234abcd1234"]

  # Enable Access Logging for Application Load Balancers
  access_logs {
    bucket  = "cc-alb-access-logs"
    prefix  = "webapp"
    enabled = true
  }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to reconfigure.

06 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

07 In the Attributes section, choose Edit attributes to modify the load balancer configuration attributes.

08 In the Edit load balancer attributes configuration box, perform the following actions:

Select the Enable checkbox next to Access logs to enable access logging.
For S3 location, enter a unique name and a prefix (optional) for the S3 bucket that will store the log files (e.g. logging-bucket/prefix).
Select the Create this location for me checkbox to enable Amazon S3 to create the new bucket for you. If you don’t request this option, you must provide the name of an existing S3 bucket available in the same AWS region with the selected load balancer.
Choose Save to apply the changes and return to the EC2 console. This will enable the Access Logging feature for the selected Application Load Balancer (ALB).

09 Repeat steps no. 5 – 8 for each Application Load Balancer that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the target bucket required for the Access Logging feature storage:

aws s3api create-bucket
  --bucket cc-alb-access-logs
  --region us-east-1
  --acl private

02 The command output should return the name of the newly created S3 bucket:

{
  "Location": "/cc-alb-access-logs"
}

03 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output):

aws s3api put-public-access-block
  --region us-east-1
  --bucket cc-alb-access-logs
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

04 Define the access policy that grants your Application Load Balancer the permission to write to the newly created S3 bucket. Paste the following policy document to a JSON file named alb-access-logging-policy.json and replace the highlighted details (bucket name and Principal) with your own details:

{
  "Id": "ALB-Access-Logging-Policy",
  "Version": "2012-10-17",
  "Statement": [
    {
     "Action": [
       "s3:PutObject"
     ],
     "Effect": "Allow",
     "Resource": "arn:aws:s3:::cc-alb-access-logs/*",
     "Principal": {
       "AWS": [
         "arn:aws:iam::466594415815:root"
        ]
      }
    }
  ]
}

05 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the access policy defined at the previous step (i.e. alb-access-logging-policy.json) to the newly created S3 bucket:

aws s3api put-bucket-policy
  --bucket cc-alb-access-logs
  --policy file://alb-access-logging-policy.json

06 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to reconfigure as the identifier parameter to enable the Access Logging feature for the selected load balancer:

aws elbv2 modify-load-balancer-attributes
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd
  --attributes Key=access_logs.s3.enabled,Value=true Key=access_logs.s3.bucket,Value=cc-alb-access-logs Key=access_logs.s3.prefix,Value=webapp

07 The command output should return the configuration attributes available for the modified load balancer:

{
    "Attributes": [
        {
            "Value": "true",
            "Key": "deletion_protection.enabled"
        },
        {
            "Value": "true",
            "Key": "access_logs.s3.enabled"
        },
        {
            "Value": "60",
            "Key": "idle_timeout.timeout_seconds"
        },
        {
            "Value": "webapp",
            "Key": "access_logs.s3.prefix"
        },
        {
            "Value": "cc-alb-access-logs",
            "Key": "access_logs.s3.bucket"
        }
    ]
}

08 Repeat steps no. 6 and 7 for each Application Load Balancer that you want to reconfigure, available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
elbv2
describe-load-balancers
describe-load-balancer-attributes
modify-load-balancer-attributes
s3api
create-bucket
put-bucket-policy

CloudFormation Documentation
Elastic Load Balancing V2 resource type reference

Terraform Documentation
AWS Provider

Publication date Dec 19, 2017

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related ELBv2 rules