ELBv2 ALB Access Log Disabled
- Query id: c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621
- Query name: ELBv2 ALB Access Log Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
VPC:
Type: AWS::EC2::VPC::Id
Description: Choose which VPC the Application Load Balancer should be deployed to
Subnets:
Description: Choose which subnets the Application Load Balancer should be deployed to
Type: List<AWS::EC2::Subnet::Id>
SecurityGroup:
Description: Select the Security Group to apply to the Application Load Balancer
Type: AWS::EC2::SecurityGroup::Id
Resources:
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: !Ref EnvironmentName
Subnets: !Ref Subnets
SecurityGroups:
- !Ref SecurityGroup
Tags:
- Key: Name
Value: !Ref EnvironmentName
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
VPC:
Type: AWS::EC2::VPC::Id
Description: Choose which VPC the Application Load Balancer should be deployed to
Subnets:
Description: Choose which subnets the Application Load Balancer should be deployed to
Type: List<AWS::EC2::Subnet::Id>
SecurityGroup:
Description: Select the Security Group to apply to the Application Load Balancer
Type: AWS::EC2::SecurityGroup::Id
Resources:
LoadBalancertest:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: !Ref EnvironmentName
Subnets: !Ref Subnets
SecurityGroups:
- !Ref SecurityGroup
Tags:
- Key: Name
Value: !Ref EnvironmentName
LoadBalancerAttributes:
- Key: access_logs.s3.enabled
Value: false
Positive test num. 3 - json file
{
"Parameters": {
"SecurityGroup": {
"Description": "Select the Security Group to apply to the Application Load Balancer",
"Type": "AWS::EC2::SecurityGroup::Id"
},
"EnvironmentName": {
"Description": "An environment name that will be prefixed to resource names",
"Type": "String"
},
"VPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "Choose which VPC the Application Load Balancer should be deployed to"
},
"Subnets": {
"Description": "Choose which subnets the Application Load Balancer should be deployed to",
"Type": "List\u003cAWS::EC2::Subnet::Id\u003e"
}
},
"Resources": {
"LoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "EnvironmentName",
"Subnets": "Subnets",
"SecurityGroups": [
"SecurityGroup"
],
"Tags": [
{
"Key": "Name",
"Value": "EnvironmentName"
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A simple EC2 instance"
}
Positive test num. 4 - json file
{
"Description": "A simple EC2 instance",
"Parameters": {
"SecurityGroup": {
"Description": "Select the Security Group to apply to the Application Load Balancer",
"Type": "AWS::EC2::SecurityGroup::Id"
},
"EnvironmentName": {
"Description": "An environment name that will be prefixed to resource names",
"Type": "String"
},
"VPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "Choose which VPC the Application Load Balancer should be deployed to"
},
"Subnets": {
"Description": "Choose which subnets the Application Load Balancer should be deployed to",
"Type": "List\u003cAWS::EC2::Subnet::Id\u003e"
}
},
"Resources": {
"LoadBalancertest": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "EnvironmentName",
"Subnets": "Subnets",
"SecurityGroups": [
"SecurityGroup"
],
"Tags": [
{
"Value": "EnvironmentName",
"Key": "Name"
}
],
"LoadBalancerAttributes": [
{
"Key": "access_logs.s3.enabled",
"Value": false
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
VPC:
Type: AWS::EC2::VPC::Id
Description: Choose which VPC the Application Load Balancer should be deployed to
Subnets:
Description: Choose which subnets the Application Load Balancer should be deployed to
Type: List<AWS::EC2::Subnet::Id>
SecurityGroup:
Description: Select the Security Group to apply to the Application Load Balancer
Type: AWS::EC2::SecurityGroup::Id
Resources:
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: !Ref EnvironmentName
Subnets: !Ref Subnets
SecurityGroups:
- !Ref SecurityGroup
Tags:
- Key: Name
Value: !Ref EnvironmentName
LoadBalancerAttributes:
- Key: access_logs.s3.enabled
Value: true
Negative test num. 2 - json file
{
"Description": "A simple EC2 instance",
"Parameters": {
"EnvironmentName": {
"Description": "An environment name that will be prefixed to resource names",
"Type": "String"
},
"VPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "Choose which VPC the Application Load Balancer should be deployed to"
},
"Subnets": {
"Description": "Choose which subnets the Application Load Balancer should be deployed to",
"Type": "List\u003cAWS::EC2::Subnet::Id\u003e"
},
"SecurityGroup": {
"Description": "Select the Security Group to apply to the Application Load Balancer",
"Type": "AWS::EC2::SecurityGroup::Id"
}
},
"Resources": {
"LoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
"SecurityGroup"
],
"Tags": [
{
"Key": "Name",
"Value": "EnvironmentName"
}
],
"LoadBalancerAttributes": [
{
"Key": "access_logs.s3.enabled",
"Value": true
}
],
"Name": "EnvironmentName",
"Subnets": "Subnets"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}