v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 5 Application and Classic Load Balancers logging should be enabled

Description

This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.

Remediation

To remediate this issue, update your load balancers to enable logging.

To enable access logs

  1. Open the Amazon EC2 console.
  2. In the navigation pane, choose Load balancers.
  3. Choose an Application Load Balancer.
  4. From Actions, choose Edit attributes.
  5. Under Access logs, choose Enable.
  6. Enter your S3 location. This location can exist or it can be created for you. If you do not specify a prefix, the access logs are stored in the root of the S3 bucket.
  7. Choose Save.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_elb_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_elb_5 --share

SQL

This control uses a named query:

elb_application_classic_lb_logging_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = elb_5
plugin = aws
service = AWS/ELB