Logging and Audits should be configured for Load Balancers

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Set up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.

Rationale

Access logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.

Remediation

From the console

Follow the Enable access logs for your Classic Load Balancer docs to learn how to enable logging for your ELBs.

From the command line

  1. Run create-bucket to create an S3 bucket that stores the ELB log files.

    Note: This bucket must be created in the same region as the ELB.

    aws s3api create-bucket \
        --region us-west-1 \
        --bucket your-elb-logging-bucket
    
  2. Use the AWS Policy Generator to create a new policy.

  3. Run put-bucket-policy to attach the policy document to the S3 bucket.

    aws s3api put-bucket-policy \
        --bucket your-elb-logging-bucket \
        --policy file://elb-logging-policy.json
    
  4. Run modify-load-balancer-attributes to enable logging for the selected ELB.

    aws elb modify-load-balancer-attributes
        --region us-west-1
        --load-balancer-name YourLoadBalancerName
        --load-balancer-attributes
        "{\"AccessLog\":{\"Enabled\":true,\"EmitInterval\":60,\"S3BucketName\":\"your-logging-bucket\"}}"