Profile Applicability:
Level 1
Description:
Enabling access logs for AWS resources (such as Amazon S3, Elastic Load Balancer, or CloudFront) ensures that all access requests to these resources are logged. These logs provide insights into how your resources are being accessed and used, and help with troubleshooting, security audits, and compliance.
Rationale:
Access logs provide visibility into who is accessing your AWS resources, what data is being accessed, and when. Enabling these logs helps you monitor access patterns, detect unusual behavior, and audit activities for security and compliance purposes. These logs are essential for incident response, auditing, and ensuring that only authorized users are interacting with your resources.
Impact:
Pros:
Improved Security: Logs allow for monitoring and identifying unauthorized or suspicious access to resources.
Audit and Compliance: Helps meet audit and compliance requirements by maintaining access logs for your AWS resources.
Troubleshooting: Access logs can be used to diagnose issues related to resource access and performance.
Cons:
Storage Costs: Storing large volumes of logs, especially for high-traffic resources, can incur storage charges.
Log Management Overhead: Requires regular management and analysis of logs to detect anomalies and ensure that the logs are appropriately retained.
Default Value:
By default, many AWS resources (such as S3 buckets or Elastic Load Balancers) may not have access logs enabled. These must be manually configured.
Pre-requisites:
IAM permissions to enable access logs for the relevant AWS resources.
Access to the AWS Console or AWS CLI for enabling access logs.
Storage location (e.g., S3 bucket) where the logs will be stored.
Remediation:
Test Plan:
Using the AWS Console:
Log in to the AWS Management Console.
Navigate to S3 (or another service like ELB or CloudFront) from the services menu.
For S3:
Select the bucket you want to enable access logging for.
Go to the Properties tab, scroll down to Server access logging, and click Edit.
Enable Access logging and specify the target bucket where the logs will be stored.
For Elastic Load Balancer (ELB):
Navigate to the EC2 Console, select Load Balancers under Load Balancing, and choose your load balancer.
Go to the Description tab, find the Access logs section, and click Edit.
Enable access logs and specify the S3 bucket for log storage.
For CloudFront:
Navigate to the CloudFront Console, select your distribution, and go to the Distribution Settings.
Under the Logging section, enable Logging and specify the S3 bucket to store logs.
After configuring, verify that the logs are being stored in the specified S3 bucket by checking the bucket's contents.
Using AWS CLI:
List available S3 buckets to identify the one you want to store the logs in:
aws s3 ls
Enable server access logging for an S3 bucket:
aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "<log-bucket-name>", "TargetPrefix": "logs/"}}'Verify that access logs are enabled by running:
aws s3api get-bucket-logging --bucket <bucket-name>
For Elastic Load Balancer (ELB), enable access logs using:
aws elb modify-load-balancer-attributes --load-balancer-name <load-balancer-name> --load-balancer-attributes AccessLog={Enabled=true,S3BucketName=<log-bucket-name>,S3BucketPrefix=logs/}For CloudFront, enable logging with:
aws cloudfront update-distribution --id <distribution-id> --logging '{ "Enabled": true, "IncludeCookies": false, "Bucket": "<log-bucket-name>", "Prefix": "logs/" }'Verify that the logs are being stored by checking the S3 bucket:
aws s3 ls s3://<log-bucket-name>
Implementation Plan:
Using the AWS Console:
Log in to the AWS Management Console.
Navigate to S3, ELB, or CloudFront, depending on which resource you want to configure.
For S3, enable Server Access Logging by navigating to Properties > Server access logging and specifying the target S3 bucket.
For ELB, enable access logs by going to Description > Access logs and specifying an S3 bucket.
For CloudFront, enable logging under Logging > Enabled, and specify an S3 bucket.
Test the setup by generating traffic to the resource and confirming that logs appear in the specified S3 bucket.
Using AWS CLI:
To enable logging for an S3 bucket:
aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "<log-bucket-name>", "TargetPrefix": "logs/"}}'For ELB, run:
aws elb modify-load-balancer-attributes --load-balancer-name <load-balancer-name> --load-balancer-attributes AccessLog={Enabled=true,S3BucketName=<log-bucket-name>,S3BucketPrefix=logs/}For CloudFront, run:
aws cloudfront update-distribution --id <distribution-id> --logging '{ "Enabled": true, "IncludeCookies": false, "Bucket": "<log-bucket-name>", "Prefix": "logs/" }'Verify the logs by checking the S3 bucket:
aws s3 ls s3://<log-bucket-name>
Backout Plan:
Using the AWS Console:
If issues arise, revert the logging configuration by disabling access logs or changing the log bucket.
For S3, go to the Properties > Server access logging and disable it.
For ELB, go to the Description > Access logs and uncheck Enabled.
For CloudFront, go to Logging > Disabled.
Using AWS CLI:
To disable logging for an S3 bucket, run:
aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {}}'For ELB, disable access logs by running:
aws elb modify-load-balancer-attributes --load-balancer-name <load-balancer-name> --load-balancer-attributes AccessLog={Enabled=false}For CloudFront, disable logging by running:
aws cloudfront update-distribution --id <distribution-id> --logging '{ "Enabled": false }'