Ensure AWS ELB (Classic) with access log is enabled

Error: AWS ELB (Classic) with access log is disabled

Bridgecrew Policy ID: BC_AWS_LOGGING_22
Checkov Check ID: CKV_AWS_91
Severity: MEDIUM

AWS ELB (Classic) with access log is disabled

Description

ELBv2 provide access logs that capture information about the TLS requests sent to NLBs. These access logs can be used to analyze traffic patterns and troubleshoot security and operational issues.
Access logging is an optional feature of ELB that is disabled by default. There is no additional charge for access logs. You are charged storage costs for Amazon S3, but not charged for the bandwidth.
After you enable access logging for your load balancer, ELBv2 captures the logs as compressed files and stores them in the Amazon S3 bucket that you specify.

Fix - Runtime

AWS Console

  1. Go to the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
    In the navigation pane, choose Load Balancers.
  2. Select your load balancer.
  3. On the Description tab, choose Edit attributes.
  4. On the Edit load balancer attributes page, do the following:
  5. For Access logs, choose Enable and specify the name of an existing bucket or a name for a new bucket.
  6. Choose Save.

CLI Command

aws elbv2 modify-load-balancer-attributes --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 --attributes Key=access_logs.s3.enabled,Value=true Key=access_logs.s3.bucket,Value=my-loadbalancer-logs Key=access_logs.s3.prefix,Value=myapp

Fix - Buildtime

Terraform

  • Resource: aws_lb
  • Argument: access_logs - (Optional) An Access Logs block. Access Logs documented below.
resource "aws_lb" "test" {
  ...
  name               = "test-lb-tf"
+ access_logs {
+   bucket  = aws_s3_bucket.lb_logs.bucket
+   prefix  = "test-lb"
+   enabled = true
+ }
}

CloudFormation

Resource: AWS::ElasticLoadBalancingV2::LoadBalancer
Argument: Properties.LoadBalancerAttributes

Resources:
  Resource0:
    Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
    Properties:
      ...
      LoadBalancerAttributes:
+     - Key: access_logs.s3.enabled
+       Value: "true"