Ensure access logging is enabled for AWS LB (Load Balancer)

MEDIUM

Description

AWS classic load balancers do not have access logging enabled.Access logging should be enabled in order to analyze statistics, diagnose issues, and retain data for regulatory or legal purposes.

Remediation

In AWS Console -

Sign in to the AWS Console and open the Load Balancer Console.
Choose the load balancer to edit and in the Actions drop down select Edit load balancer attributes.
Under Attributes, select Configure access logs.
Check the Enable access logs box and provide an interval and S3 location.
Select Save.

In Terraform -

In the aws_lb resource, set the access_logs.enabled field to true.
Provide a bucket (S3 location).

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#access_logs

Policy Details

Rule Reference ID: AC_AWS_0435

CSP: AWS

Remediation Available: Yes

Domain: Logging and Monitoring

Resource: aws_lb

Resource Category: Virtual Network

Resource Type: Load Balancer

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF

Detections

Analytics