Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 5 Application and Classic Load Balancers logging should be enabled

Description

This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false.

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.

Remediation

To remediate this issue, update your load balancers to enable logging.

To enable access logs

  1. Open the Amazon EC2 console.
  2. In the navigation pane, choose Load balancers.
  3. Choose an Application Load Balancer.
  4. From Actions, choose Edit attributes.
  5. Under Access logs, choose Enable.
  6. Enter your S3 location. This location can exist or it can be created for you. If you do not specify a prefix, the access logs are stored in the root of the S3 bucket.
  7. Choose Save.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_elb_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_elb_5 --share

SQL

This control uses a named query:

(
  select
    arn as resource,
    case
      when load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' then 'ok'
      else 'alarm'
    end as status,
    case
      when load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' then title || ' logging enabled.'
      else title || ' logging disabled.'
    end as reason
    
    , region, account_id
  from
    aws_ec2_application_load_balancer
)
union
(
  select
    'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title as resource,
    case
      when access_log_enabled = 'true' then 'ok'
      else 'alarm'
    end as status,
    case
      when access_log_enabled = 'true' then title || ' logging enabled.'
      else title || ' logging disabled.'
    end as reason
    
    , region, account_id
  from
    aws_ec2_classic_load_balancer
);

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = elb_5
plugin = aws
service = AWS/ELB