Profile Applicability:

  • Level 1

Description:

Elastic Load Balancing (ELB) is a service that automatically distributes incoming application or network traffic across multiple targets, such as EC2 instances or containers. Access logs provide valuable insights into the requests made to your load balancer, including client IP addresses, request paths, and response status codes. Enabling logging for your ALB (Application Load Balancer) or NLB (Network Load Balancer) ensures that request data is captured for audit, monitoring, troubleshooting, and compliance purposes

Rationale:

  • Security: Access logs can help identify malicious activities or unusual traffic patterns, such as DDoS attacks or unauthorized access attempts.

  • Troubleshooting: Logs provide detailed information about the traffic to and from the load balancer, which can be crucial for diagnosing and troubleshooting issues with applications or services.

  • Compliance: Many regulatory frameworks require logging of network traffic for auditing and monitoring purposes. Enabling ELB logging ensures compliance with security standards like PCI-DSS, SOC 2, and others.

Impact:

Pros:

  • Visibility: Enables visibility into incoming and outgoing traffic, improving the ability to detect and respond to security threats.

  • Auditing: Captures logs that can be used for compliance audits and investigations.

  • Troubleshooting: Helps to identify and resolve issues with applications quickly.

Cons:

  • Cost: Enabling access logs may incur storage and monitoring costs depending on the volume of logs stored in S3.

  • Storage Management: Managing the log retention and ensuring logs are not retained longer than necessary to avoid high storage costs.

Default Value:

By default, ELBs do not have access logging enabled. You need to configure logging for ALB, NLB, or CLB (Classic Load Balancer) manually.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • s3:PutObject

    • s3:GetObject

    • elasticloadbalancing:ModifyLoadBalancerAttributes

  • AWS CLI installed and configured.

  • Amazon S3 bucket available for storing the logs.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing under Services.

  3. In the Load Balancers section, select the Elastic Load Balancer you want to review.

  4. Under the Description tab, check the Access logs section.

    • If Access logs are enabled, the destination S3 bucket and prefix will be displayed.

    • If Access logs are not enabled, this section will indicate that logs are not configured.

  5. If logging is disabled, proceed to enable it by choosing Edit and configuring the S3 bucket for log storage.

Using AWS CLI:

  1. To describe the ELB and check if logging is enabled, run:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application` || Type==`network`].{Name:LoadBalancerName,AccessLog:{Enabled:AccessLog.Enabled, S3Bucket:AccessLog.S3BucketName}}'

  2. If the AccessLog.Enabled is True, logging is enabled. If it's False, logging is disabled.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Elastic Load Balancing.

  2. In the Load Balancers section, select the Elastic Load Balancer for which you want to enable logging.

  3. In the Description tab, click on Edit under Access logs.

  4. Set Access logs to Enabled.

  5. Choose an S3 bucket to store the logs and specify a prefix if needed.

  6. Save the changes to enable logging for the selected ELB.

Using AWS CLI:

  1. To enable Access Logging on a load balancer, run:

    aws elbv2 modify-load-balancer-attributes \
  --load-balancer-arn <load-balancer-arn> \
  --attributes Key=access_logs.s3.enabled,Value=true \
  Key=access_logs.s3.bucket,Value=<s3-bucket-name> \
  Key=access_logs.s3.prefix,Value=<logs-prefix>

  1. To verify that the logging is enabled, run:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application`].{Name:LoadBalancerName,AccessLog:{Enabled:AccessLog.Enabled, S3Bucket:AccessLog.S3BucketName}}'

Backout Plan:

Using AWS Console:

  1. If enabling access logging causes issues, sign in to the AWS Management Console.
    Navigate to Elastic Load Balancing, select the Load Balancer, and go to the Description tab.

  2. Click Edit in the Access Logs section.

  3. Disable access logs and save the changes.

Using AWS CLI:

  1. To disable access logging, run:

    aws elbv2 modify-load-balancer-attributes --load-balancer-arn <LOAD_BALANCER_ARN> --attributes Key=access_logs.s3.enabled,Value=false

  2. Verify that access logging has been disabled:

    aws elbv2 describe-load-balancer-attributes --load-balancer-arn <LOAD_BALANCER_ARN>


References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.