Skip to main content

More Info:

Load balancers should have request logging enabled. Logging requests to ELB endpoints is a helpful way of detecting and investigating potential attacks.

Risk Level

Informational

Address

Security, Operational Maturity

Compliance Standards

HIPAA, GDPR, SOC2, NIST, ISO27001, HITRUST, NISTCSF, PCIDSS, FedRAMP, SEBI_CSAF, RBI_MD_ITF, RBI_CSF_UCB

Triage and Remediation

Remediation

Using Console

  1. Sign in to the AWS Management Console and open the Amazon EC2 dashboard at https://console.aws.amazon.com/ec2/.
  2. In the navigation pane, under LOAD BALANCING, choose Load Balancers.
  3. Select the load balancer that you want to enable logging for.
  4. Open the Description tab, under Attributes section, choose Edit attributes.
  5. In the Access logs section, do the following:
    • Select Enable access logs.
    • In the S3 location field, type the name of your S3 bucket where you want to store the logs. You can also specify a prefix. For example, if you type my-loadbalancer-logs/my-app, the access logs are stored in the my-app folder of the my-loadbalancer-logs bucket.
    • If the bucket doesn’t exist, you can create it. Make sure that the bucket policy grants Amazon S3 write permissions to Elastic Load Balancing.
  6. Choose Save.
Please note, the bucket must be in the same region as the load balancer. The bucket policy must grant write permissions to Elastic Load Balancing. If you don’t have a bucket for storing the logs, you can create one.
Sure, here are the steps to remediate this misconfiguration:
  1. Identify the Load Balancer: First, you need to identify the load balancer for which you want to enable logging. You can do this by running the following command:
aws elbv2 describe-load-balancers --region your-region-name
This command will list all the load balancers in the specified region. Identify the ARN of the load balancer you want to enable logging for.
  1. Create a S3 Bucket: ALB logs are stored in an S3 bucket. If you don’t have an existing bucket to store the logs, create a new one using the following command:
aws s3api create-bucket --bucket your-bucket-name --region your-region-name
Remember to replace ‘your-bucket-name’ with your preferred bucket name and ‘your-region-name’ with the region where you want to create the bucket.
  1. Set Bucket Policy: Next, set a bucket policy that grants the Elastic Load Balancing service principal (elasticloadbalancing.amazonaws.com) permission to write logs to your bucket. You can do this by creating a JSON file with the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name/*"
            ]
        }
    ]
}
Replace ‘your-bucket-name’ with the name of your S3 bucket. Save this file as ‘bucket-policy.json’ and run the following command to apply this policy to your bucket:
aws s3api put-bucket-policy --bucket your-bucket-name --policy file://bucket-policy.json
  1. Enable Logging for Load Balancer: Finally, you can enable logging for your load balancer using the following command:
aws elbv2 modify-load-balancer-attributes --load-balancer-arn your-load-balancer-arn --attributes Key=access_logs.s3.enabled,Value=true Key=access_logs.s3.bucket,Value=your-bucket-name
Replace ‘your-load-balancer-arn’ with the ARN of your load balancer and ‘your-bucket-name’ with the name of your S3 bucket.
  1. Verify Logging is Enabled: You can verify that logging is enabled by describing the attributes of the load balancer using the following command:
aws elbv2 describe-load-balancer-attributes --load-balancer-arn your-load-balancer-arn
In the output, you should see that ‘access_logs.s3.enabled’ is set to ‘true’ and ‘access_logs.s3.bucket’ is set to the name of your S3 bucket.
To remediate this misconfiguration, you will need to use AWS SDK for Python (Boto3) to enable access logs for your Application Load Balancer (ALB). Here are the step by step instructions:
  1. Install AWS SDK for Python (Boto3): If you haven’t installed Boto3, you can install it using pip: 
    pip install boto3
  2. Configure AWS Credentials: Boto3 needs your AWS credentials (access key and secret key) to interact with AWS services. You can configure it in several ways. The simplest way is using the AWS CLI: 
    aws configure
    It will ask for the Access Key ID, Secret Access Key, Default region name, and Default output format. You can find these details from your AWS account.
  3. Create a Python Script: Now, you can write a Python script to enable access logs for your ALB. Here is a simple example: 
    import boto3

def enable_alb_logging(alb_name, s3_bucket_name, s3_prefix):
    client = boto3.client('elbv2')

    response = client.modify_load_balancer_attributes(
        LoadBalancerArn=alb_name,
        Attributes=[
            {
                'Key': 'access_logs.s3.enabled',
                'Value': 'true'
            },
            {
                'Key': 'access_logs.s3.bucket',
                'Value': s3_bucket_name
            },
            {
                'Key': 'access_logs.s3.prefix',
                'Value': s3_prefix
            }
        ]
    )

    print(response)

enable_alb_logging('my-load-balancer-arn', 'my-s3-bucket', 'my-log-prefix')
    Replace 'my-load-balancer-arn', 'my-s3-bucket', and 'my-log-prefix' with your actual Load Balancer ARN, S3 bucket name, and prefix respectively.
  4. Run the Python Script: You can run the Python script using Python command: 
    python enable_alb_logging.py
This script will enable access logs for your ALB and store the logs in the specified S3 bucket. Make sure that the S3 bucket has the right permissions to store access logs.

Additional Reading: