Description:
Elastic Load Balancing(ELB) automatically distributes incoming application traffic across multiple targets, such as EC2 instances, containers, IP addresses, Lambda functions, and virtual appliances. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones.
Rationale:
It can monitor the health of its registered targets and route traffic only to the healthy targets. It evenly distributes traffic across all availability zones in a region, improving fault tolerance. This strategy improves the performance and availability of applications, websites, databases, and other computing resources. It also helps process user requests quickly and accurately.
Impact:
Analyze access and traffic patterns
Troubleshoot applications
Perform security monitoring
Improve the user experience
Discover and debug problems with the EC2 platform
Default Value:
By default, the AWS will not enable the logging, but when the logging is enabled manually, the Elastic Load Balance stores logs with a time interval of 60 minutes until the time interval is specified.
Audit:
Checking to see if a load balancer is enabled
- Open the Amazon EC2 console
- On the navigation pane, under LOAD BALANCING, choose Load Balancers.
- Select your load balancer.
Assigning IAM Roles to EC2.
CLI checking if a load balancer is enabled
aws elb describe-load-balancers
Remediation:
Pre-Requisites:
Need to have an S3 Bucket where the logging would happen
Need to have Active ELB enabled in the environment
Assigning IAM Roles to EC2. After auditing, if you find any Elastic Load Balancer without logging enabled.
Implementation Steps:
Open the Amazon EC2 console
On the navigation pane, under load balancing choose Load Balancers.
Select your load balancer.
On the Description tab, choose Configure Access Logs.
On the Configure Access Logs page, Click to Enable access logs.
Enabling ELB Using the CLI
Use the following modify-load-balancer-attributes command to disable access logging:
aws elb modify-load-balancer-attributes --load-balancer-name my-loadbalancer --load-balancer-attributes "{"AccessLog":{"Enabled":true}}"
Create an S3 Bucket
Attach an ELB policy to the S3 Bucket.
Enable Access Logs.
Verify that the Load Balancer Created a Test File in the S3 Bucket.
Enabling logging in load balancers:
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "elb-logging-enabled",
"Description": "A Config rule that checks whether the Application Load Balancers and the Classic Load Balancers have logging enabled. The rule is NON_COMPLIANT if the the access_logs.s3.enabled is true and access_logs.S3.bucket is equal to the s3BucketName that you pr...",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ELB_LOGGING_ENABLED",
"SourceDetails": []
},
"Scope": {
"ComplianceResourceTypes": [
"AWS::ElasticLoadBalancing::LoadBalancer",
"AWS::ElasticLoadBalancingV2::LoadBalancer"
]
},
"InputParameters": "{}"
}'Backout Plan: Disabling Using the GUI
Open the Amazon EC2 console
On the navigation pane, under load balancing choose Load Balancers.
Select your load balancer.
On the Description tab, choose Configure Access Logs.
On the Configure Access Logs page, clear Enable access logs.
Disabling Using the CLI
Use the following modify-load-balancer-attributes command to disable access logging:
aws elb modify-load-balancer-attributes --load-balancer-name my-loadbalancer --load-balancer-attributes "{"AccessLog":{"Enabled":false}}"Reference: