Rule: ELB Application and Classic Load Balancer Logging Enabled
Ensure that ELB application and classic load balancer logging is enabled for better security compliance.
| Rule | ELB application and classic load balancer logging should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
ELB (Elastic Load Balancer) application and classic load balancer logging should be enabled to comply with the NIST 800-53 Revision 5 security requirements. By enabling logging, it helps in monitoring and analyzing the traffic that passes through the load balancer, providing valuable insights into potential security threats and aiding in incident response.
Remediation:
To enable load balancer logging, follow the steps below:
For Application Load Balancer:
- 1.
Open the AWS Management Console and navigate to the EC2 service.
- 2.
In the navigation pane, click on "Load Balancers".
- 3.
Select your Application Load Balancer from the list.
- 4.
Under the "Description" tab, click on the "Edit attributes" button.
- 5.
In the "Access logs" section, click on the "Enable access logs" checkbox.
- 6.
Specify the "S3 Bucket" where you want the logs to be stored. If you don't have an existing S3 bucket, click on "Create a new S3 bucket" to create one.
- 7.
(Optional) You can define a "Log prefix" to organize your logs by prefixing them with a specific string.
- 8.
Click on the "Save" button to enable logging for your Application Load Balancer.
For Classic Load Balancer:
- 1.
Open the AWS Management Console and navigate to the EC2 service.
- 2.
In the navigation pane, click on "Load Balancers".
- 3.
Select your Classic Load Balancer from the list.
- 4.
Under the "Description" tab, click on the "Edit attributes" button.
- 5.
In the "Access logs" section, click on the "Enable access logs" checkbox.
- 6.
Specify the "S3 Bucket" where you want the logs to be stored. If you don't have an existing S3 bucket, click on "Create a new S3 bucket" to create one.
- 7.
(Optional) You can define a "Bucket prefix" to organize your logs by prefixing them with a specific string.
- 8.
Click on the "Save" button to enable logging for your Classic Load Balancer.
Troubleshooting Steps:
If you encounter any issues while enabling logging for ELB, here are some troubleshooting steps you can follow:
- 1.
Make sure that you have the necessary permissions to enable logging and access the specified S3 bucket. Check your IAM (Identity and Access Management) policies.
- 2.
Verify that the S3 bucket exists and that you have provided the correct bucket name during the logging configuration.
- 3.
Ensure that the S3 bucket has the appropriate write permissions for the ELB service. You can configure this in the bucket's IAM policy or bucket policy.
- 4.
Check the CloudTrail logs for any relevant error messages or events related to ELB configuration.
- 5.
Ensure that there is sufficient free space in the S3 bucket to store the logs. If the bucket is full, you may need to increase its capacity or delete older logs.
- 6.
Verify that the ELB is in an active state and properly associated with your EC2 instances or other resources.
If the issue persists, it is recommended to consult the AWS documentation or contact AWS support for further assistance.
Code Samples:
There are no specific code samples required for enabling load balancer logging. The configuration is done through the AWS Management Console using the steps mentioned above.