Rule: ELB Application and Classic Load Balancer Logging Enabled
Ensure logging is enabled for ELB application and classic load balancer.
| Rule | ELB application and classic load balancer logging should be enabled |
| Framework | SOC 2 |
| Severity | ✔ High |
ELB Application and Classic Load Balancer Logging for SOC 2 Compliance
SOC 2 compliance is a framework for managing data that ensures the security, availability, processing integrity, confidentiality, and privacy of customer data. Enabling logging on Elastic Load Balancers (ELB) - both Application Load Balancers (ALBs) and Classic Load Balancers - is a key measure for meeting the monitoring and logging criteria.
Enabling Access Logs on Application Load Balancers (ALB)
Description:
Access logs for ALBs capture detailed information about requests sent to the load balancer. This includes the client’s IP address, request paths, server responses, and latencies. Enabling these logs helps organizations analyze traffic patterns and identify and troubleshoot security and operational issues.
Troubleshooting Steps:
If you encounter issues with ALB logs, the following steps may be helpful:
- 1.Confirm that the S3 bucket policy allows the ALB to write logs.
- 2.Verify that the log file prefix you've specified in the ALB configuration is correct and does not have any restrictions.
- 3.Ensure that your IAM role has sufficient permissions to enable logging.
- 4.Check that the S3 bucket exists and is in the same region as your ALB.
Necessary IAM Permissions:
The following IAM policy allows an ALB to write access logs to an S3 bucket:
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
]
}
Step by Step Guide for Remediation:
Enable logging through AWS Management Console:
- 1.Open the AWS Management Console.
- 2.Navigate to EC2 service and under 'Load Balancing', select 'Load Balancers'.
- 3.Choose your ALB.
- 4.Go to the 'Attributes' tab.
- 5.Select 'Edit attributes'.
- 6.Click on 'Enable access logs'.
- 7.Set the destination S3 bucket where the logs should be stored.
- 8.(Optional) Enter a prefix for the log file names.
- 9.Save the changes.
Enable logging using AWS CLI:
Execute the following AWS CLI command to enable ALB logging:
aws elbv2 modify-load-balancer-attributes \ --load-balancer-arn YOUR_LOAD_BALANCER_ARN \ --attributes Key=access_logs.s3.enabled,Value=true \ Key=access_logs.s3.bucket,Value=YOUR_S3_BUCKET_NAME \ Key=access_logs.s3.prefix,Value=YOUR_LOG_FILE_PREFIX
Enabling Access Logs on Classic Load Balancers
Description:
Classic Load Balancer logging is essential for capturing request information to help detect anomalies, troubleshoot issues, and improve security. Access logs contain details like client IP, request paths, and backend responses.
Troubleshooting Steps:
For troubleshooting Classic Load Balancer logs:
- 1.Validate that the S3 bucket policy is correctly configured.
- 2.Check whether the specified log interval is causing delays in log delivery.
- 3.Confirm that you have selected a valid S3 bucket and that it is accessible.
Necessary IAM Permissions:
The IAM permissions required are similar to those for ALBs.
Step by Step Guide for Remediation:
Enable logging through AWS Management Console:
- 1.Open AWS Management Console.
- 2.Go to the EC2 dashboard and select 'Load Balancers' under 'Load Balancing'.
- 3.Choose the Classic Load Balancer.
- 4.In the 'Attributes' panel, click 'Access Logs'.
- 5.Check 'Enable Access Logs'.
- 6.Specify the S3 bucket and the log file prefix as needed.
- 7.Click 'Save'.
Enable logging using AWS CLI:
To enable logging for a Classic Load Balancer, use the following AWS CLI command:
aws elb enable-access-logs --load-balancer-name YOUR_LOAD_BALANCER_NAME \ --access-log S3BucketName=YOUR_S3_BUCKET_NAME,S3BucketPrefix=YOUR_LOG_FILE_PREFIX,EmitInterval=60
In both cases, ensure that your logging strategy does not create unnecessary costs or manage logs in a way that might lead to sensitive data exposure. Regularly audit your logging policy and configurations.
By following these guidelines, you can effectively enable and manage logging for both Application and Classic Load Balancers within your infrastructure, ensuring your adherence to SOC 2 compliance requirements.