Enable ALB Elastic Load Balancer v2 (ELBv2) access log

ELBv2 ALBs should have have access log enabled to capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.

Risk Level: Low
Cloud Entity: Application Load Balancer
CloudGuard Rule ID: D9.AWS.LOG.15
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

ApplicationLoadBalancer should not have attributes contain [ key='access_logs.s3.enabled' and value='false' ]

REMEDIATION

From Portal

  1. Sign into the AWS console
  2. In the console, select the specific region
  3. Navigate to EC2 dashboard
  4. Click 'Load Balancers' (Left Panel)
  5. Select the reported ELB
  6. Click 'Actions' drop-down
  7. Click 'Edit attributes'
  8. In the 'Edit load balancer attributes' popup box, select 'Enable' for 'Access logs' and configure S3 location where you want to store ELB logs

From TF

resource "aws_lb" "test" {
	...
	name = "test_lb"
	+ access_logs {
		+   bucket  = aws_s3_bucket
		+   prefix  = "test-lb"
		+   enabled = true
	+ }
}

From Command Line
To enable access logs for your load balancer:

aws elb modify-load-balancer-attributes --load-balancer-name LOAD_BALANCER_NAME --load-balancer-attributes file://my-json-file.json

References

  1. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-load-balancer-attributes.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb

Application Load Balancer

An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset