Rule: ELB Application and Classic Load Balancer Logging Enabled
Ensure logging is enabled for ELB application and classic load balancers.
| Rule | ELB application and classic load balancer logging should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Ensuring ELB Logging Compliance with NIST 800-53 Revision 5
NIST 800-53 Revision 5 is a set of standards that provides a comprehensive set of controls for federal information systems and organizations to ensure security and privacy. Enabling logging for Elastic Load Balancers (ELB), whether they are Application Load Balancers or Classic Load Balancers, is a key part of maintaining compliance with these standards.
Overview of the Compliance Rule
Under NIST 800-53 Rev. 5, specifically through controls such as SI-4 (Information System Monitoring), organizations are required to collect, analyze, and retain information system audit records. These records help organizations to detect, understand, and respond to incidents that could impair security or operations.
Enabling ELB logging helps to satisfy this compliance need by ensuring that full access logs are collected and stored. Access logs provide detailed data about requests sent to the load balancer, which can be invaluable in security and traffic analysis.
Step-by-Step Guide for Enabling ELB Logging
Application Load Balancer
Enable Access Logging:
- 1.Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- 2.In the Navigation pane, under LOAD BALANCING, choose Load Balancers.
- 3.Select the Application Load Balancer.
- 4.Choose the Attributes tab.
- 5.For Access logs, choose Edit.
- 6.Set Enable access logs to true.
- 7.Specify an S3 bucket where the access logs will be stored. This S3 bucket must already exist and the load balancer must have the necessary permissions to write to the bucket.
- 8.(Optional) Set an S3 bucket prefix to organize logs in a hierarchical structure.
- 9.Choose Save.
S3 Bucket Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-logs-bucket/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
]
}
Replace
my-logs-bucket123456789012Classic Load Balancer
Enable Access Logging:
- 1.Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- 2.Navigate to LOAD BALANCING > Load Balancers.
- 3.Select the Classic Load Balancer.
- 4.Choose Configuration from the navigation pane.
- 5.In the Access Log section, choose Edit.
- 6.Check Enable Access Log.
- 7.Determine the interval at which the logs are to be published.
- 8.Specify the S3 bucket for the logs.
- 9.(Optional) Specify a prefix.
- 10.Save the changes.
Use the same S3 Bucket Permissions JSON provided for the Application Load Balancer.
Troubleshooting Steps
If logs are not appearing:
- 1.Confirm that the specified S3 bucket exists.
- 2.Check the IAM policies to ensure the load balancer has write access to the S3 bucket.
- 3.Verify that bucket naming conventions and prefixes are correct and without typos.
- 4.Check that the S3 bucket is in the same region as the load balancer.
- 5.Ensure that there are no S3 bucket policies that are preventing the load balancer from delivering the logs.
For additional troubleshooting, AWS CloudTrail can help identify API calls to the load balancer and any actions taken upon it.
Remediating Non-Compliance
If ELB logging is not enabled:
- 1.Follow the steps outlined in "Enable Access Logging" for either Application Load Balancer or Classic Load Balancer to turn on logging.
- 2.Verify that logs are being appropriately stored in the specified S3 bucket.
- 3.Set up a regular review process to ensure logging remains enabled and that logs are retained in accordance with the relevant NIST requirements.
By following these guidelines and ensuring that load balancer logging is enabled and properly configured, your organization can maintain compliance with NIST 800-53 Rev. 5 standards.