AWS Elastic Load Balancer: Audit Logs Not Enabled

Description:

AWS Elastic Load Balancers (ELBs) provide load balancing services to distribute incoming traffic across multiple targets. By enabling audit logs, also known as access logs, administrators can capture detailed information about requests sent to the load balancer. This information can be invaluable for security and access audits, troubleshooting, and understanding application usage patterns. If audit logs are not enabled, it limits the ability to investigate issues, detect security incidents, or gain insights into user behavior.


Remediation:

1. Enable Access Logs for Elastic Load Balancer:

Enable access logs for a comprehensive view of all requests, including client IP addresses, request paths, and server responses.

AWS Management Console:
  • Navigate to the Elastic Load Balancing dashboard.
  • Select your Elastic Load Balancer from the list.
  • In the Description tab, click on Edit attributes.
  • Enable Access logs.
  • Specify the S3 bucket where logs should be stored.
  • Save the changes.
AWS CLI:
aws elbv2 modify-load-balancer-attributes \
    --load-balancer-arn <Your-ELB-ARN> \
    --attributes Key=access_logs.s3.enabled,Value=true Key=access_logs.s3.bucket,Value=<Your-S3-Bucket>
Terraform:
resource "aws_elb" "example" {
  name               = "example-elb"
  // ... other configuration ...

  access_logs {
    bucket  = aws_s3_bucket.example.bucket
    enabled = true
  }
}

resource "aws_s3_bucket" "example" {
  bucket = "example-elb-logs"
  acl    = "private"
}

2. Set Up Appropriate Permissions:

Ensure that the ELB has the necessary permissions to write logs to the designated S3 bucket. This can be achieved by attaching a policy to the bucket that grants the ELB service these permissions.

3. Retention and Analysis:

  • Periodically review the stored logs for any anomalies or suspicious activities.
  • Consider integrating the logs with tools like Amazon Athena or third-party log analysis solutions for deeper insights and automated alerts.
  • Determine a retention policy for your logs, ensuring compliance with any applicable regulations and business requirements.

4. Training and Policy:

  • Ensure that your team understands the importance of ELB audit logs for security and troubleshooting purposes.
  • Establish policies that require all new ELBs to have access logs enabled by default.

By enabling audit logs for Elastic Load Balancers, organizations can gain a clearer view of application traffic, detect anomalies, and improve overall security. Ensure this best practice is adopted across your AWS environment.