ELBv2 ALB Access Log Disabled

  • Query id: c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621
  • Query name: ELBv2 ALB Access Log Disabled
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Observability
  • URL: Github

Description

ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Parameters:
  EnvironmentName:
    Description: An environment name that will be prefixed to resource names
    Type: String

  VPC:
    Type: AWS::EC2::VPC::Id
    Description: Choose which VPC the Application Load Balancer should be deployed to

  Subnets:
    Description: Choose which subnets the Application Load Balancer should be deployed to
    Type: List<AWS::EC2::Subnet::Id>

  SecurityGroup:
    Description: Select the Security Group to apply to the Application Load Balancer
    Type: AWS::EC2::SecurityGroup::Id
Resources:
  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Ref EnvironmentName
      Subnets: !Ref Subnets
      SecurityGroups:
        - !Ref SecurityGroup
      Tags:
        - Key: Name
          Value: !Ref EnvironmentName
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Parameters:
  EnvironmentName:
    Description: An environment name that will be prefixed to resource names
    Type: String

  VPC:
    Type: AWS::EC2::VPC::Id
    Description: Choose which VPC the Application Load Balancer should be deployed to

  Subnets:
    Description: Choose which subnets the Application Load Balancer should be deployed to
    Type: List<AWS::EC2::Subnet::Id>

  SecurityGroup:
    Description: Select the Security Group to apply to the Application Load Balancer
    Type: AWS::EC2::SecurityGroup::Id
Resources:
  LoadBalancertest:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Ref EnvironmentName
      Subnets: !Ref Subnets
      SecurityGroups:
        - !Ref SecurityGroup
      Tags:
        - Key: Name
          Value: !Ref EnvironmentName
      LoadBalancerAttributes:
        - Key: access_logs.s3.enabled
          Value: false
Positive test num. 3 - json file
{
  "Parameters": {
    "SecurityGroup": {
      "Description": "Select the Security Group to apply to the Application Load Balancer",
      "Type": "AWS::EC2::SecurityGroup::Id"
    },
    "EnvironmentName": {
      "Description": "An environment name that will be prefixed to resource names",
      "Type": "String"
    },
    "VPC": {
      "Type": "AWS::EC2::VPC::Id",
      "Description": "Choose which VPC the Application Load Balancer should be deployed to"
    },
    "Subnets": {
      "Description": "Choose which subnets the Application Load Balancer should be deployed to",
      "Type": "List\u003cAWS::EC2::Subnet::Id\u003e"
    }
  },
  "Resources": {
    "LoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties": {
        "Name": "EnvironmentName",
        "Subnets": "Subnets",
        "SecurityGroups": [
          "SecurityGroup"
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "EnvironmentName"
          }
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A simple EC2 instance"
}

Positive test num. 4 - json file
{
  "Description": "A simple EC2 instance",
  "Parameters": {
    "SecurityGroup": {
      "Description": "Select the Security Group to apply to the Application Load Balancer",
      "Type": "AWS::EC2::SecurityGroup::Id"
    },
    "EnvironmentName": {
      "Description": "An environment name that will be prefixed to resource names",
      "Type": "String"
    },
    "VPC": {
      "Type": "AWS::EC2::VPC::Id",
      "Description": "Choose which VPC the Application Load Balancer should be deployed to"
    },
    "Subnets": {
      "Description": "Choose which subnets the Application Load Balancer should be deployed to",
      "Type": "List\u003cAWS::EC2::Subnet::Id\u003e"
    }
  },
  "Resources": {
    "LoadBalancertest": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties": {
        "Name": "EnvironmentName",
        "Subnets": "Subnets",
        "SecurityGroups": [
          "SecurityGroup"
        ],
        "Tags": [
          {
            "Value": "EnvironmentName",
            "Key": "Name"
          }
        ],
        "LoadBalancerAttributes": [
          {
            "Key": "access_logs.s3.enabled",
            "Value": false
          }
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Parameters:
  EnvironmentName:
    Description: An environment name that will be prefixed to resource names
    Type: String

  VPC:
    Type: AWS::EC2::VPC::Id
    Description: Choose which VPC the Application Load Balancer should be deployed to

  Subnets:
    Description: Choose which subnets the Application Load Balancer should be deployed to
    Type: List<AWS::EC2::Subnet::Id>

  SecurityGroup:
    Description: Select the Security Group to apply to the Application Load Balancer
    Type: AWS::EC2::SecurityGroup::Id
Resources:
  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Ref EnvironmentName
      Subnets: !Ref Subnets
      SecurityGroups:
        - !Ref SecurityGroup
      Tags:
        - Key: Name
          Value: !Ref EnvironmentName
      LoadBalancerAttributes:
        - Key: access_logs.s3.enabled
          Value: true
Negative test num. 2 - json file
{
  "Description": "A simple EC2 instance",
  "Parameters": {
    "EnvironmentName": {
      "Description": "An environment name that will be prefixed to resource names",
      "Type": "String"
    },
    "VPC": {
      "Type": "AWS::EC2::VPC::Id",
      "Description": "Choose which VPC the Application Load Balancer should be deployed to"
    },
    "Subnets": {
      "Description": "Choose which subnets the Application Load Balancer should be deployed to",
      "Type": "List\u003cAWS::EC2::Subnet::Id\u003e"
    },
    "SecurityGroup": {
      "Description": "Select the Security Group to apply to the Application Load Balancer",
      "Type": "AWS::EC2::SecurityGroup::Id"
    }
  },
  "Resources": {
    "LoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties": {
        "SecurityGroups": [
          "SecurityGroup"
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "EnvironmentName"
          }
        ],
        "LoadBalancerAttributes": [
          {
            "Key": "access_logs.s3.enabled",
            "Value": true
          }
        ],
        "Name": "EnvironmentName",
        "Subnets": "Subnets"
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}