ELB Access Log Disabled

  • Query id: ee12ad32-2863-4c0f-b13f-28272d115028
  • Query name: ELB Access Log Disabled
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Observability
  • CWE: Ongoing
  • URL: Github

Description

ELB should have access log enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Resources:
  MyLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      AvailabilityZones:
        - "us-east-2a"
      CrossZone: true
      Listeners:
        - InstancePort: "80"
          InstanceProtocol: HTTP
          LoadBalancerPort: "443"
          Protocol: HTTPS
          PolicyNames:
            - My-SSLNegotiation-Policy
          SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
      HealthCheck:
        Target: HTTP:80/
        HealthyThreshold: "2"
        UnhealthyThreshold: "3"
        Interval: "10"
        Timeout: "5"
      Policies:
        - PolicyName: My-SSLNegotiation-Policy
          PolicyType: SSLNegotiationPolicyType
          Attributes:
            - Name: Reference-Security-Policy
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Resources:
  MyLoadBalancer2:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      AvailabilityZones:
        - "us-east-2a"
      CrossZone: true
      Listeners:
        - InstancePort: "80"
          InstanceProtocol: HTTP
          LoadBalancerPort: "443"
          Protocol: HTTPS
          PolicyNames:
            - My-SSLNegotiation-Policy
          SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
      HealthCheck:
        Target: HTTP:80/
        HealthyThreshold: "2"
        UnhealthyThreshold: "3"
        Interval: "10"
        Timeout: "5"
      Policies:
        - PolicyName: My-SSLNegotiation-Policy
          PolicyType: SSLNegotiationPolicyType
          Attributes:
            - Name: Reference-Security-Policy
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
      AccessLoggingPolicy:
        Enabled: false
        S3BucketName: teste
Positive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A simple EC2 instance",
  "Resources": {
    "MyLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties": {
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true,
        "Listeners": [
          {
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate"
          }
        ],
        "HealthCheck": {
          "Target": "HTTP:80/",
          "HealthyThreshold": "2",
          "UnhealthyThreshold": "3",
          "Interval": "10",
          "Timeout": "5"
        },
        "Policies": [
          {
            "PolicyName": "My-SSLNegotiation-Policy",
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ]
          }
        ]
      }
    }
  }
}

Positive test num. 4 - json file
{
  "Resources": {
    "MyLoadBalancer2": {
      "Properties": {
        "Policies": [
          {
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ],
            "PolicyName": "My-SSLNegotiation-Policy"
          }
        ],
        "AccessLoggingPolicy": {
          "Enabled": false,
          "S3BucketName": "teste"
        },
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true,
        "Listeners": [
          {
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate"
          }
        ],
        "HealthCheck": {
          "Interval": "10",
          "Timeout": "5",
          "Target": "HTTP:80/",
          "HealthyThreshold": "2",
          "UnhealthyThreshold": "3"
        }
      },
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A simple EC2 instance"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Resources:
  MyLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      AvailabilityZones:
        - "us-east-2a"
      CrossZone: true
      Listeners:
        - InstancePort: "80"
          InstanceProtocol: HTTP
          LoadBalancerPort: "443"
          Protocol: HTTPS
          PolicyNames:
            - My-SSLNegotiation-Policy
          SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
      HealthCheck:
        Target: HTTP:80/
        HealthyThreshold: "2"
        UnhealthyThreshold: "3"
        Interval: "10"
        Timeout: "5"
      Policies:
        - PolicyName: My-SSLNegotiation-Policy
          PolicyType: SSLNegotiationPolicyType
          Attributes:
            - Name: Reference-Security-Policy
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
      AccessLoggingPolicy:
        - Enabled: true
          S3BucketName: teste
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A simple EC2 instance",
  "Resources": {
    "MyLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties": {
        "Policies": [
          {
            "PolicyName": "My-SSLNegotiation-Policy",
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ]
          }
        ],
        "AccessLoggingPolicy": [
          {
            "Enabled": true,
            "S3BucketName": "teste"
          }
        ],
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true,
        "Listeners": [
          {
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
            "InstancePort": "80",
            "InstanceProtocol": "HTTP"
          }
        ],
        "HealthCheck": {
          "Timeout": "5",
          "Target": "HTTP:80/",
          "HealthyThreshold": "2",
          "UnhealthyThreshold": "3",
          "Interval": "10"
        }
      }
    }
  }
}