Enable Logging for ELB Application and Classic Load Balancer Rule
This rule mandates enabling logging for ELB application and classic load balancer to ensure data protection.
| Rule | ELB application and classic load balancer logging should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
NIST 800-171 Revision 2: Enable ELB Application and Classic Load Balancer Logging
Description:
Enabling logging for ELB (Elastic Load Balancer) application and Classic Load Balancer is a requirement stated in NIST (National Institute of Standards and Technology) Special Publication 800-171 Revision 2. This requirement aims to enhance the security and auditing capabilities of load balancers by capturing detailed logs.
Troubleshooting Steps:
In case you encounter any issues while enabling ELB logging, follow these troubleshooting steps:
- 1.
Ensure that you have the necessary permissions to enable logging for ELB. Check for any IAM (Identity and Access Management) policies or role restrictions that might be preventing you from accessing the required resources.
- 2.
Verify that the load balancer is properly configured and functioning correctly. Check for any misconfigurations that might be causing logging to fail.
- 3.
Check if the appropriate log storage destination, such as Amazon S3 bucket or CloudWatch Logs, is correctly set up and accessible. Ensure that the log storage destination has the necessary permissions to receive and store the logs.
- 4.
Review the AWS CloudTrail logs to identify any errors or failures related to enabling load balancer logging. CloudTrail logs can provide valuable insights into API calls and actions performed on the AWS platform.
- 5.
If all troubleshooting steps fail, consider reaching out to AWS Support for further assistance. Provide them with relevant details, error messages, and steps performed to help them troubleshoot the issue more effectively.
Necessary Codes (if applicable):
If you need to programmatically enable logging for ELB, you can use the AWS Command Line Interface (CLI) and the following code example:
aws elb modify-load-balancer-attributes --load-balancer-name <Load-Balancer-Name> --load-balancer-attributes "{ \"AccessLog\": { \"Enabled\": true, \"S3BucketName\": \"<S3-Bucket-Name>\", \"EmitInterval\": 5, \"S3BucketPrefix\": \"<Optional-Bucket-Prefix>\" } }"
Replace
<Load-Balancer-Name><S3-Bucket-Name><Optional-Bucket-Prefix>Step-by-Step Guide for Remediation:
To enable logging for ELB Application and Classic Load Balancer, follow the step-by-step guide below:
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the EC2 service.
- 3.
In the navigation pane, click on "Load Balancers".
- 4.
Select the relevant ELB Application or Classic Load Balancer from the list.
- 5.
On the "Description" tab, scroll down to the "Attributes" section.
- 6.
Click on the "Edit" button next to "Access logs".
- 7.
Select the option to "Enable access logs".
- 8.
Specify the destination S3 bucket where the logs should be stored. You can either choose an existing bucket or create a new one.
- 9.
Optionally, you can specify a prefix to organize the logs within the bucket.
- 10.
Set the "Emit Interval" to the desired value. This determines how often the logs are emitted to the specified S3 bucket.
- 11.
Click on the "Save" button to save the changes.
- 12.
Validate that logging is enabled by reviewing the load balancer's "Attributes" and confirming that the access log settings reflect the desired configuration.
- 13.
Repeat these steps for each ELB Application or Classic Load Balancer that needs logging enabled.
By following these steps, you will successfully enable logging for ELB Application and Classic Load Balancer, as required by NIST 800-171 Revision 2.