AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
ELB Should Have Logging Enabled
More Info:
Load balancers should have request logging enabled. Logging requests to ELB endpoints is a helpful way of detecting and investigating potential attacks.
Risk Level
Informational
Address
Security, Operational Maturity
Compliance Standards
HIPAA, GDPR, SOC2, NIST, ISO27001, HITRUST, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the misconfiguration of ELB not having logging enabled in AWS, you can follow the below steps using the AWS Console:
-
Login to your AWS Management Console and navigate to the EC2 Dashboard.
-
From the EC2 Dashboard, click on the Load Balancers link located on the left side of the page.
-
Select the Load Balancer that you want to enable logging for.
-
Click on the Edit Attributes button located at the bottom of the page.
-
In the Edit Attributes window, scroll down to the Access Logs section.
-
Select the Enable Access Logs checkbox.
-
In the S3 Bucket field, enter the name of the S3 bucket where you want to store the access logs.
-
In the S3 Prefix field, enter a prefix for the access logs.
-
Click on the Save button to save the changes.
After following these steps, the ELB access logs will be enabled and will start logging to the specified S3 bucket. You can then use these logs for troubleshooting and analysis purposes.
To remediate the misconfiguration of ELB not having logging enabled in AWS using AWS CLI, follow the below steps:
Step 1: Open the AWS CLI and run the following command to enable access logs for the ELB:
aws elb modify-load-balancer-attributes --load-balancer-name <ELB Name> --load-balancer-attributes "{\"AccessLog\":{\"Enabled\":true,\"S3BucketName\":\"<S3 Bucket Name>\",\"S3BucketPrefix\":\"<S3 Bucket Prefix>\"}}"
Note: Replace <ELB Name>, <S3 Bucket Name> and <S3 Bucket Prefix> with the appropriate values.
Step 2: Verify if the access logs are enabled for the ELB by running the following command:
aws elb describe-load-balancers --load-balancer-name <ELB Name> --query "LoadBalancerDescriptions[].{AccessLog:AccessLog.Enabled}"
This command will return the value of “AccessLog” parameter as “true” if the access logs are enabled for the ELB.
Step 3: Check if the logs are being written to the S3 bucket by running the following command:
aws s3 ls s3://<S3 Bucket Name>/<S3 Bucket Prefix>/
This command will list all the log files that are being written to the specified S3 bucket. If the logs are being written, then the access logs are successfully enabled for the ELB.
By following these steps, you can remediate the misconfiguration of ELB not having logging enabled in AWS using AWS CLI.
To remediate the ELB logging misconfiguration in AWS using Python, you can follow these steps:
- First, you need to import the Boto3 library in your Python script. Boto3 is the AWS SDK for Python, which allows you to interact with AWS services using Python code.
import boto3
- Next, you need to create a Boto3 client for the Elastic Load Balancing (ELB) service.
elb_client = boto3.client('elbv2')
- Then, you can use the
describe_load_balancersmethod to get a list of all the ELBs in your AWS account.
response = elb_client.describe_load_balancers()
load_balancers = response['LoadBalancers']
- Once you have the list of ELBs, you can loop through each ELB and check if logging is enabled or not. You can use the
describe_load_balancer_attributesmethod to get the attributes of each ELB.
for lb in load_balancers:
lb_arn = lb['LoadBalancerArn']
response = elb_client.describe_load_balancer_attributes(LoadBalancerArn=lb_arn)
attributes = response['Attributes']
for attr in attributes:
if attr['Key'] == 'access_logs.s3.enabled':
if attr['Value'] == 'false':
# Enable logging for the ELB
elb_client.modify_load_balancer_attributes(
LoadBalancerArn=lb_arn,
Attributes=[
{
'Key': 'access_logs.s3.enabled',
'Value': 'true'
}
]
)
- Finally, you can modify the ELB attributes using the
modify_load_balancer_attributesmethod to enable logging for the ELB.
The above Python code will check if logging is enabled for each ELB in your AWS account. If logging is not enabled, it will enable logging for that ELB.