Rule: ELB Application and Classic Load Balancer Logging Should Be Enabled
Ensure that logging is enabled for ELB application and classic load balancers.
| Rule | ELB application and classic load balancer logging should be enabled |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
Rule Description: Enable ELB Application and Classic Load Balancer Logging for FFIEC Compliance
To comply with the regulations set by the Federal Financial Institutions Examination Council (FFIEC), it is necessary to enable logging for Elastic Load Balancers (ELB) in the application and classic load balancer modes. Logging allows the tracking and monitoring of traffic, which is crucial for security, auditing, and troubleshooting purposes.
Troubleshooting Steps (if any):
- 1.Check if the ELB logging feature is already enabled.
- 2.Verify if there are any existing logs and their storage location.
- 3.Ensure that the necessary permissions are granted to access and write logs to the designated logging storage.
Necessary Codes (if any):
The following code samples illustrate how to enable logging for ELB and configure it to store the logs in an S3 bucket. Depending on your specific environment and requirements, you might need to modify these codes accordingly.
AWS CLI Code Snippet:
aws elbv2 modify-load-balancer-attributes --load-balancer-arn <ELB_ARN> --attributes Key=access_logs.s3.enabled,Value=true Key=access_logs.s3.bucket,Value=<BUCKET_NAME> Key=access_logs.s3.prefix,Value=<BUCKET_PREFIX>
AWS SDK for Python (Boto3) Code Snippet:
import boto3 elbv2_client = boto3.client('elbv2') response = elbv2_client.modify_load_balancer_attributes( LoadBalancerArn='<ELB_ARN>', Attributes=[ { 'Key': 'access_logs.s3.enabled', 'Value': 'true' }, { 'Key': 'access_logs.s3.bucket', 'Value': '<BUCKET_NAME>' }, { 'Key': 'access_logs.s3.prefix', 'Value': '<BUCKET_PREFIX>' } ] )
Step-by-Step Guide for Remediation:
- 1.
Identify the Elastic Load Balancer (ELB) instances that need logging enabled. Note down the ARN (Amazon Resource Name) of each ELB required for compliance.
- 2.
Determine the AWS region in which the ELBs exist.
- 3.
Ensure that you have the necessary permissions to modify the load balancer attributes.
- 4.
Choose the appropriate method to configure ELB logging (CLI or SDK). The examples provided above use the AWS CLI and Python SDK (Boto3) for illustration purposes.
- 5.
Open your preferred command-line interface (CLI) or Integrated Development Environment (IDE).
- 6.
If using the AWS CLI, run the provided code snippet, replacing
,<ELB_ARN>
, and<BUCKET_NAME>
with the correct values for your environment.<BUCKET_PREFIX>If using the AWS SDK for Python (Boto3), utilize the provided code snippet, making the necessary modifications based on your environment.
- 7.
Verify if the logging attributes were successfully modified by checking the response from the API call or inspecting the load balancer attributes.
- 8.
Repeat the process for each ELB instance that requires logging enabled.
- 9.
Monitor the S3 bucket where the logs are stored to ensure they are being generated and updated correctly.
By following these steps, you will enable logging for ELB Application and Classic Load Balancers, satisfying the FFIEC compliance requirements.