A logging setup should be created for AWS Elastic Load Balancers

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Set up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.

Rationale

Access logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.

Remediation

From the console

Follow the Enable access logs for your Classic Load Balancer docs to learn how to enable logging for your ELBs.

From the command line

  1. Run create-bucket to create an S3 bucket that stores the ELB log files.

    Note: This bucket must be created in the same region as the ELB.

    aws s3api create-bucket \
        --region us-west-1 \
        --bucket your-elb-logging-bucket
    
  2. Use the AWS Policy Generator to create a new policy.

  3. Run put-bucket-policy to attach the policy document to the S3 bucket.

    aws s3api put-bucket-policy \
        --bucket your-elb-logging-bucket \
        --policy file://elb-logging-policy.json
    
  4. Run modify-load-balancer-attributes to enable logging for the selected ELB.

    aws elb modify-load-balancer-attributes
        --region us-west-1
        --load-balancer-name YourLoadBalancerName
        --load-balancer-attributes
        "{\"AccessLog\":{\"Enabled\":true,\"EmitInterval\":60,\"S3BucketName\":\"your-logging-bucket\"}}"