Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Access Logs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon Elastic Beanstalk environment is configured to capture access logs for the load balancer associated with the application environment. An Elastic Beanstalk environment is a collection of AWS resources running an application version. When you create an environment, Amazon Elastic Beanstalk provisions the resources needed to run the application version you specified.

Security

Amazon Elastic Load Balancing (ELB) provides access logs that record detailed information about requests sent to your Elastic Beanstalk environment load balancer. Each log entry contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use the load balancer access logs to analyze traffic patterns and troubleshoot issues within your Elastic Beanstalk application environment. After the access logging is enabled, Amazon Elastic Load Balancing captures the logs and stores them in the S3 bucket that you specify as compressed files.


Audit

To determine if access logging is enabled for your Amazon Elastic Beanstalk environments, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

03 In the navigation panel, under Elastic Beanstalk, choose Environments.

04 Click on the name of the Elastic Beanstalk environment that you want to examine, available in the Environment name column.

05 In the left navigation panel, under the name of the environment, choose Configuration.

06 On the selected environment configuration page, in the Load balancer section, check the Store logs configuration flag status. If the Store logs status is set to disabled, the selected Amazon Elastic Beanstalk environment is not configured to capture access logs for the load balancer associated with the application environment.

07 Repeat steps no. 4 – 6 to verify the access logging feature status for other Amazon Elastic Beanstalk environments available within the current AWS cloud region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-applications command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon Elastic Beanstalk applications deployed in the selected AWS cloud region:

aws elasticbeanstalk describe-applications
  --region us-east-1
  --query 'Applications[*].ApplicationName'

02 The command output should return an array with the requested application name(s):

[
  "cc-django-prod-application",
  "cc-wordpress-main-website",
  "cc-project5-web-application"
]

03 Run describe-environments command (OSX/Linux/UNIX) using the name of the Elastic Beanstalk application that you want to examine as the identifier parameter and custom query filters to describe the name of the Amazon Elastic Beanstalk environment created for the selected application:

aws elasticbeanstalk describe-environments
  --region us-east-1
  --application-name cc-django-prod-application
  --no-include-deleted
  --query 'Environments[*].EnvironmentName'

04 The command output should return the name of the requested environment:

[
  "cc-django-web-environment"
]

05 Run describe-configuration-settings command (OSX/Linux/UNIX) to describe the access logging feature configuration status available for the load balancer associated with the selected Amazon Elastic Beanstalk environment:

aws elasticbeanstalk describe-configuration-settings
  --region us-east-1
  --environment-name cc-django-web-environment
  --application-name cc-django-prod-application
  --query 'ConfigurationSettings[*].OptionSettings[?(OptionName==`AccessLogsS3Enabled`)].Value | []'

06 The command output should return the requested configuration status ("true" for enabled, "false" for disabled):

[
  "false"
]

If the describe-configuration-settings command output returns "false", the selected Amazon Elastic Beanstalk environment is not configured to capture access logs for the load balancer associated with the application environment.

07 Repeat steps no. 5 and 6 to check the access logging feature status for other Amazon Elastic Beanstalk environments created for the selected application.

08 Repeat steps no. 3 – 7 for each Amazon Elastic Beanstalk application deployed in the selected AWS cloud region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To configure Amazon Elastic Beanstalk environments to capture logs with detailed information about requests sent to the associated load balancer, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Before you enable access logging for your Elastic Beanstalk environment load balancer, you must create an Amazon S3 bucket where the load balancer will store the logs. The S3 bucket must be in the same AWS region as your load balancer, and must have a bucket policy that grants Elastic Load Balancing permission to write the access logs to the bucket. To create the required S3 bucket, navigate to Amazon S3 console at https://console.aws.amazon.com/s3/ and choose Buckets from the left navigation panel.

03 On the S3 buckets page, click on the Create bucket button to initiate the setup process.

04 On the Create bucket setup page, perform the following operations:

  1. For General configuration, provide a unique name for the new bucket in the Bucket name box and choose the appropriate AWS cloud region from the Region dropdown list.
  2. For Bucket settings for Block Public Access, choose Block all public access to ensure that public access to the new bucket and its objects is blocked.
  3. For Default encryption, select Enable under Server-side encryption, to enable Default Encryption for the new S3 bucket.
  4. Choose Create bucket to create your new Amazon S3 bucket.

05 Click on the name of the newly created S3 bucket, select the Permissions tab, and insert the following S3 bucket policy in the Bucket policy section (replace the placeholders with the corresponding information):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::s3-bucket-name/bucket-prefix/AWSLogs/aws-account-id/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::s3-bucket-name/bucket-prefix/AWSLogs/aws-account-id/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::s3-bucket-name"
    }
  ]
}

06 Navigate to Amazon Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

07 In the navigation panel, under Elastic Beanstalk, choose Environments.

08 Click on the name of the Elastic Beanstalk environment that you want to reconfigure, available in the Environment name column.

09 In the left navigation panel, under the name of your environment, choose Configuration.

10 In the Load balancer section, choose Edit to modify the configuration of the load balancer associated with the selected environment.

11 On the Modify Application Load Balancer configuration page, perform the following operations:

  1. In the Access log files section, select Enabled under Store logs to enable the access logging feature.
  2. Select the name of the Amazon S3 bucket created earlier in the remediation process from the S3 bucket dropdown list.
  3. For Prefix, provide the prefix defined for your Amazon S3 bucket (must match the prefix used for the bucket policy).
  4. Choose Apply to save the configuration changes. Once the changes are successfully implemented, the Amazon Elastic Beanstalk environment status should change to "Environment update completed successfully.".

12 Repeat steps no. 2 – 11 to enable access logging for other Elastic Beanstalk environments available within the current AWS cloud region.

13 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Before you enable access logging for your environment load balancer, you must create an Amazon S3 bucket where the load balancer will store the log files. The S3 bucket must be in the same AWS region as your load balancer, and must have a bucket policy that grants Elastic Load Balancing permission to write the access logs to the bucket. To create the required Amazon S3 bucket, run create-bucket command (OSX/Linux/UNIX):

aws s3api create-bucket
  --region us-east-1
  --bucket cc-eb-environment-logs-bucket
  --acl private

02 The command output should return the name of the newly created S3 bucket:

{
  "Location": "/cc-eb-environment-logs-bucket"
}

03 Define the bucket policy that grants Amazon Elastic Load Balancing (ELB) permission to write the access logs to the new bucket. Paste the following policy document to a JSON file named bucket-policy.json (replace the placeholders with the corresponding information):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::s3-bucket-name/bucket-prefix/AWSLogs/aws-account-id/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::s3-bucket-name/bucket-prefix/AWSLogs/aws-account-id/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::s3-bucket-name"
    }
  ]
}

04 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the bucket policy defined at the previous step to your new Amazon S3 bucket:

aws s3api put-bucket-policy
  --bucket cc-eb-environment-logs-bucket
  --policy file://bucket-policy.json

05 Run put-public-access-block command (OSX/Linux/UNIX) to enable the Amazon S3 Public Access Block feature for the specified S3 bucket (the command should not return an output):

aws s3api put-public-access-block
  --region us-east-1
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
  --bucket cc-eb-environment-logs-bucket

06 Define the access logging feature configuration for your Amazon Elastic Beanstalk environment load balancer. Paste the following configuration document to a JSON file named access-logging-config.json (replace the placeholders with the corresponding information):

[
  {
    "OptionName": "AccessLogsS3Enabled",
    "ResourceName": "AWSEBV2LoadBalancer",
    "Namespace": "aws:elbv2:loadbalancer",
    "Value": "true"
  },
  {
    "OptionName": "AccessLogsS3Bucket",
    "ResourceName": "AWSEBV2LoadBalancer",
    "Namespace": "aws:elbv2:loadbalancer",
    "Value": "s3-bucket-name"
  },
  {
    "OptionName": "AccessLogsS3Prefix",
    "ResourceName": "AWSEBV2LoadBalancer",
    "Namespace": "aws:elbv2:loadbalancer",
    "Value": "s3-bucket-prefix"
  }
]

07 Run update-environment command (OSX/Linux/UNIX) using the name of the Amazon Elastic Beanstalk environment that you want to update as the identifier parameter, to enable access logging for the load balancer associated with the selected application environment, using the configuration file defined at the previous step:

aws elasticbeanstalk update-environment
  --region us-east-1
  --environment-name cc-django-web-environment
  --application-name cc-django-prod-application
  --option-settings file://access-logging-config.json

08 The command output should return the metadata available for the reconfigured application environment:

{
  "ApplicationName": "cc-django-prod-application",
  "EnvironmentName": "cc-django-web-environment",
  "VersionLabel": "Django Application V2",
  "Status": "Updating",
  "EnvironmentArn":
  "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/cc-django-prod-application/cc-django-web-environment",
  "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/Python 3.7 running on 64bit Amazon Linux 2/3.1.4",
  "EndpointURL": "awseb-AWSEB-ABCDABCDABCD-12345678.us-east-1.elb.amazonaws.com",
  "SolutionStackName": "64bit Amazon Linux 2 v3.1.4 running Python 3.7",
  "EnvironmentId": "e-abcdabcdab",
  "CNAME": "cc-django-web-environment.eba-abcdabcd.us-east-1.elasticbeanstalk.com",
  "AbortableOperationInProgress": true,
  "Tier": {
    "Version": "1.0",
    "Type": "Standard",
    "Name": "WebServer"
  },
  "Health": "Grey",
  "DateUpdated": "2021-01-25T10:00:00.000Z",
  "DateCreated": "2021-01-25T10:00:00.000Z"
}

09 Repeat steps no. 1 – 8 to enable and configure access logging for other Elastic Beanstalk environments deployed in the selected AWS cloud region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the entire remediation process for other regions.

References

Publication date Feb 6, 2021