Rule: ELB Application and Classic Load Balancer Logging Should Be Enabled
Ensure that ELB application and classic load balancer logging is enabled for compliance with high severity standards.
| Rule | ELB application and classic load balancer logging should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
NIST 800-53 Revision 5: Enable logging for ELB Application and Classic Load Balancer
Description:
Enabling logging for ELB (Elastic Load Balancer) Application and Classic Load Balancer is a security best practice recommended by the National Institute of Standards and Technology (NIST) 800-53 Revision 5. Logging provides valuable insights and helps track and analyze network traffic, logs, and potential security events in real-time. By implementing this rule, organizations can enhance their security posture and meet compliance requirements.
Troubleshooting Steps:
If there are any issues or errors while configuring logging for ELB Application and Classic Load Balancer, follow these troubleshooting steps:
- 1.Verify IAM access: Ensure that the user or role you are using has the necessary permissions to enable logging for ELB and access the required service APIs.
- 2.Check resource limits: Confirm that your AWS account does not exceed any limits imposed on ELB or CloudWatch.
- 3.Review CloudWatch agent configuration: If you are using the CloudWatch agent to collect logs, make sure the agent is installed and configured correctly.
- 4.Examine security groups and network ACLs: Confirm that the necessary ports and protocols required for logging are open in security groups and network ACLs.
- 5.Check CloudWatch Logs subscription filter: If you are using CloudWatch Logs subscription filters, verify that the filter pattern is correctly configured.
Necessary Codes:
Here are the necessary codes to enable logging for ELB Application and Classic Load Balancer:
AWS CLI Command:
# Enable access logging for an ELB Application Load Balancer: aws elbv2 modify-load-balancer-attributes --load-balancer-arn YOUR_LB_ARN --attributes Key=access_logs.s3.enabled,Value=true # Enable access logging for a Classic Load Balancer: aws elb modify-load-balancer-attributes --load-balancer-name YOUR_LB_NAME --load-balancer-attributes "{\"AccessLog\":{\"Enabled\":true,\"S3BucketName\":\"YOUR_BUCKET_NAME\"}}"
AWS CloudFormation:
Resources:
YourLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
LoadBalancerAttributes:
- Key: access_logs.s3.enabled
Value: "true"
Step-by-step Guide for Remediation:
Follow these steps to enable logging for ELB Application and Classic Load Balancer:
- 1.
ELB Application Load Balancer:
- Open the AWS Management Console and navigate to the EC2 service.
- In the navigation pane, select "Load Balancers."
- Choose the Application Load Balancer you want to enable logging for.
- Go to the "Attributes" tab.
- Under "Access Logs," click on "Edit."
- Enable access logging by selecting the checkbox next to "Enable access logs to an S3 bucket."
- Choose the S3 bucket where the logs should be stored, or create a new bucket.
- Click "Save."
- 2.
Classic Load Balancer:
- Open the AWS Management Console and navigate to the EC2 service.
- In the navigation pane, select "Load Balancers."
- Choose the Classic Load Balancer you want to enable logging for.
- Go to the "Description" tab.
- Under the "Attributes" section, click on "Enable Access Logs."
- Enable access logging by selecting the checkbox next to "Enable access logs."
- Specify the S3 bucket name where the logs should be stored.
- Click "Save."
Once logging is enabled, the ELB Application and Classic Load Balancer will start collecting and storing access logs in the specified S3 bucket. The logs can then be analyzed using AWS CloudWatch or other log analysis tools for monitoring and troubleshooting purposes.
Note: It is recommended to regularly monitor and review the logs to detect any abnormal traffic patterns or potential security incidents.