Rule: ELB Application and Classic Load Balancer Logging Enabled
This rule ensures that ELB application and classic load balancer logging are enabled for improved monitoring and security.
| Rule | ELB application and classic load balancer logging should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Enabling Logging for ELB Application and Classic Load Balancers for CISA Cyber Essentials
Logging in ELB (Elastic Load Balancing) is a critical feature for monitoring and security. It allows you to capture detailed information about requests sent to your load balancer, helping to meet compliance requirements such as CISA Cyber Essentials. Below are the steps to enable and troubleshoot logging for both Application Load Balancers and Classic Load Balancers.
Enabling Access Logging for Application Load Balancers
Step 1: Grant Permissions to the S3 Bucket
Before enabling logging, ensure that your ELB has permissions to store logs in an S3 bucket.
CLI Command to Attach Bucket Policy:
aws s3api put-bucket-policy --bucket BUCKET_NAME --policy file://bucket_policy.json
bucket_policy.json{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticloadbalancing.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKET_NAME/AWSLogs/ACCOUNT_ID/*"
}
]
}
Replace
BUCKET_NAMEACCOUNT_IDStep 2: Enable Logging via AWS Console or CLI
AWS Console:
- 1.Go to the EC2 service.
- 2.Navigate to ‘Load Balancers’ under ‘Load Balancing’.
- 3.Select the load balancer.
- 4.Go to the ‘Attributes’ tab.
- 5.Find ‘Access logs’ and click on ‘Edit’.
- 6.Enable logging and set the S3 bucket name.
- 7.Save changes.
CLI Command to Enable Logging:
aws elbv2 modify-load-balancer-attributes --load-balancer-arn ELB_ARN --attributes Key=access_logs.s3.enabled,Value=true Key=access_logs.s3.bucket,Value=BUCKET_NAME Key=access_logs.s3.prefix,Value=logs
Replace
ELB_ARNBUCKET_NAMElogsEnabling Access Logging for Classic Load Balancers
Step 1: Grant Permissions to the S3 Bucket
The permission policy for Classic Load Balancers is similar to Application Load Balancers. Ensure the bucket policy allows
s3:PutObjectStep 2: Enable Logging via AWS Console or CLI
AWS Console:
- 1.Go to the EC2 service.
- 2.Navigate to ‘Load Balancers’ under ‘Load Balancing’.
- 3.Select the load balancer.
- 4.Scroll down to the ‘Access Logs’ section.
- 5.Choose ‘Enable’ and put in your S3 bucket information.
- 6.Save changes.
CLI Command to Enable Logging:
aws elb enable-access-logs --load-balancer-name ELB_NAME --s3-bucket-name BUCKET_NAME --s3-bucket-prefix logs
Replace
ELB_NAMEBUCKET_NAMElogsTroubleshooting
If logs are not appearing in the S3 bucket:
- 1.Check S3 Bucket Permissions: Ensure the bucket policy allows writes from ELB.
- 2.Check Load Balancer Attributes: Re-verify that logging is enabled with the correct settings in the ELB attributes.
- 3.Check Prefix: Confirm that the prefix does not contain any restricted characters and is correctly set.
- 4.Bucket Naming: Ensure there are no typos in the bucket name within the ELB settings.
Remediation for Common Issues
For incorrect bucket policies, correct the policy and update it using the
put-bucket-policyTo employ the best practices for CISA Cyber Essentials, make sure logging is part of a broader monitoring and review strategy. Regularly audit your logging configuration and access patterns for compliance and security purposes.