Open menu
-->

Enable AWS ALB (ELBv2) Access Logging

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your Amazon Application Load Balancers (ALBs) have Access Logging feature enabled for security, troubleshooting and statistical analysis purposes.

After you enable and configure access logging for your AWS Application Load Balancers, the log files will be delivered to the S3 bucket of your choice. The log files contain data about each HTTP/HTTPS request processed by the load balancer, data that can be extremely useful for analyzing traffic patterns, implementing protection plans and identifying and troubleshooting security issues.

Audit

To determine if access logging is enabled for your Application Load Balancers (ALBs), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the Application Load Balancer that you want to examine.

05 Select Description tab from the dashboard bottom panel to view the ELBv2 resource description.

06 Inside Attributes section, check the Access logs configuration attribute value. If the attribute value is set to Disabled, the Access Logging feature is not enabled for the selected AWS Application Load Balancer.

07 Repeat steps no. 4 – 6 to verify Access Logging feature status for other AWS load balancers provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of all your Application Load Balancers available within the selected region:

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn | []'

02 The command output should return an array with the requested ARN(s):

[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-alb/aaaabbbbccccdddd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-alb/aaaabbbbccccdddd"
]

03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the ALB that you want to examine as identifier and custom query filters to check the Access Logging feature status for the selected ELBv2 resource:

aws elbv2 describe-load-balancer-attributes
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-alb/aaaabbbbccccdddd
	--query 'Attributes[?(Key == `access_logs.s3.enabled`)].Value | []'

04 The command output should return the requested feature status (true for enabled, false for disabled):

[
    "false"
]

If the describe-load-balancer-attributes command output returns "false", as shown in the output example above, the Access Logging feature is not currently enabled for the selected AWS Application Load Balancer.

05 Repeat step no. 3 and 4 to verify Access Logging feature status for other AWS load balancers provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable access logging for your AWS Application Load Balancers (ALBs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the Application Load Balancer that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select Description tab from the dashboard bottom panel to view the ELBv2 resource description.

06 Within Attributes section, click Edit attributes button to access the load balancer attributes configuration.

07 Inside Edit load balancer attributes dialog box, set the following:

  1. Check Enable access logs checkbox to enable the feature.
  2. For S3 location, enter a unique name (e.g. alb-access-logging) and a prefix (optional) for the S3 bucket that will store the log files.
  3. Check Create this location for me checkbox to enable Amazon Web Services to create the new bucket for you. If you don’t request this option, you must provide the name of an existing S3 bucket available in the same region with the selected load balancer.
  4. Click Save to apply the changes. The Access Logs attribute value should now change to Enabled.

08 Repeat steps no. 4 – 7 to enable access logging for other AWS Application Load Balancers provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the S3 bucket that will store the load balancer log files. The S3 bucket must be created in the same AWS region with the selected ALB:

aws s3api create-bucket
	--region us-east-1
	--bucket alb-access-logging                                                           

02 The command output should return the new S3 bucket URL:

{
    "Location": "/alb-access-logging"
}

03 Now define the access policy that grants the selected Application Load Balancer the permission to write to the newly created bucket. Create a new policy document named alb-access-logging-policy.json and paste the following (replace the highlighted details, i.e. the bucket name, the prefix and the AWS account ID, with your details or use AWS Policy Generator - http://awspolicygen.s3.amazonaws.com/policygen.html to create your own access policy):

{
  "Id": "ALB-Access-Logging-Policy",
  "Version": "2012-10-17",
  "Statement": [
    {
     "Sid": "Stmt1891778278769",
     "Action": [
       "s3:PutObject"
     ],
     "Effect": "Allow",
     "Resource": "arn:aws:s3:::alb-access-logging/webapp/AWSLogs/123456789012/*",
     "Principal": {
       "AWS": [
         "123456789012"
        ]
      }
    }
  ]
}

04 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the access policy defined at the previous step (i.e. alb-access-logging-policy.json) to the newly created S3 bucket:

aws s3api put-bucket-policy
	--bucket alb-access-logging
	--policy file://alb-access-logging-policy.json

05 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer that you want to reconfigure as identifier to enable Access Logging feature for the selected ELBv2 resource:

aws elbv2 modify-load-balancer-attributes
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-alb/aaaabbbbccccdddd
	--attributes Key=access_logs.s3.enabled,Value=true Key=access_logs.s3.bucket,Value=alb-access-logging Key=access_logs.s3.prefix,Value=webapp

06 The command output should return the attributes metadata for the modified load balancer:

{
    "Attributes": [
        {
            "Value": "true",
            "Key": "deletion_protection.enabled"
        },
        {
            "Value": "true",
            "Key": "access_logs.s3.enabled"
        },
        {
            "Value": "60",
            "Key": "idle_timeout.timeout_seconds"
        },
        {
            "Value": "webapp",
            "Key": "access_logs.s3.prefix"
        },
        {
            "Value": "alb-access-logging",
            "Key": "access_logs.s3.bucket"
        }
    ]
}

07 Repeat steps no. 1 – 6 to enable access logging for other Amazon Application Load Balancers available in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the remediation process for other regions.

References

Publication date Dec 19, 2017