Control: 5 Application and Classic Load Balancers logging should be enabled
Description
This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.
Remediation
To remediate this issue, update your load balancers to enable logging.
To enable access logs
- Open the Amazon EC2 console.
- In the navigation pane, choose
Load balancers. - Choose an Application Load Balancer.
- From
Actions, chooseEdit attributes. - Under
Access logs, chooseEnable. - Enter your S3 location. This location can exist or it can be created for you. If you do not specify a prefix, the access logs are stored in the root of the S3 bucket.
- Choose
Save.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_elb_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_elb_5 --shareSQL
This control uses a named query:
( select arn as resource, case when load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' then 'ok' else 'alarm' end as status, case when load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' then title || ' logging enabled.' else title || ' logging disabled.' end as reason , region, account_id from aws_ec2_application_load_balancer)union( select 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title as resource, case when access_log_enabled = 'true' then 'ok' else 'alarm' end as status, case when access_log_enabled = 'true' then title || ' logging enabled.' else title || ' logging disabled.' end as reason , region, account_id from aws_ec2_classic_load_balancer);