Rule: ELB Application and Classic Load Balancer Logging Should Be Enabled
This rule ensures logging is enabled for ELB application and classic load balancers.
| Rule | ELB application and classic load balancer logging should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule Description
Enabling logging for ELB (Elastic Load Balancer) application and classic load balancer is a requirement for organizations seeking compliance with FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4. This rule ensures that all traffic passing through the load balancer is logged, providing visibility into the activities and helping with security monitoring, troubleshooting, and auditing purposes.
Troubleshooting Steps
If logging is not already enabled for ELB application and classic load balancer, the following troubleshooting steps can be taken:
- 1.
Verify AWS Account Status: Ensure that your AWS account is subscribed to the required services, which include Elastic Load Balancer, CloudWatch Logs, and S3. Check the AWS Service Health Dashboard for any ongoing issues or disruptions.
- 2.
Check IAM Permissions: Confirm that the IAM (Identity and Access Management) roles associated with your load balancers have the necessary permissions to write logs to the desired CloudWatch Logs group and access S3 buckets for storage.
- 3.
Validate Load Balancer Configuration: Review the load balancer configuration to ensure the appropriate listeners, target groups, and health checks are properly configured. Incorrect configurations may prevent logging from functioning correctly.
- 4.
Verify CloudWatch Logs Configuration: Validate that a CloudWatch Logs group is properly created and associated with the load balancer(s). Double-check the log retention settings and the appropriate IAM role association for CloudWatch Logs.
- 5.
Examine Load Balancer Logs: If logging appears to be enabled but no logs are being generated, review the load balancer logs in CloudWatch Logs to identify any potential errors or issues.
Necessary Codes (if applicable)
No specific codes are required for enabling ELB application and classic load balancer logging for FedRAMP Moderate Revision 4 compliance. Configuration settings can be adjusted through the AWS Management Console or AWS CLI (Command-Line Interface).
Step-by-Step Guide for Remediation
To enable logging for ELB application and classic load balancer for FedRAMP Moderate Revision 4 compliance, follow these step-by-step instructions:
- 1.
Open the AWS Management Console and navigate to the Amazon EC2 dashboard.
- 2.
Select "Load Balancers" from the left-side menu.
- 3.
Choose the desired ELB application or classic load balancer from the list.
- 4.
Click on the "Attributes" tab.
- 5.
Under the "Access Logs" section, click on the "Edit" button.
- 6.
Enable access logs by ticking the checkbox and providing the desired S3 bucket name and log prefix. Choose an appropriate interval for log rotation.
- 7.
Confirm the IAM role permissions for CloudWatch Logs and S3. If no IAM role is specified, choose an existing role or create a new one.
- 8.
Click on the "Save" button to apply the changes.
- 9.
Once logging is enabled, navigate to the CloudWatch Logs dashboard.
- 10.
Verify that the desired log group is created and associated with the load balancer.
- 11.
Monitor the CloudWatch Logs for any log entries related to the load balancer activities.
By following these steps, you will have successfully enabled logging for the ELB application and classic load balancer, meeting the requirements for FedRAMP Moderate Revision 4 compliance.