Logging and Audits should be configured for Load Balancers

elb
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Set up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.

Rationale

Access logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.

Remediation

From the console

Follow the Enable access logs for your Classic Load Balancer docs to learn how to enable logging for your ELBs.

From the command line

  1. Run create-bucket to create an S3 bucket that stores the ELB log files.

    Note: This bucket must be created in the same region as the ELB.

    aws s3api create-bucket \
    --region us-west-1 \
    --bucket your-elb-logging-bucket

  2. Use the AWS Policy Generator to create a new policy.

  3. Run put-bucket-policy to attach the policy document to the S3 bucket.

    aws s3api put-bucket-policy \
    --bucket your-elb-logging-bucket \
    --policy file://elb-logging-policy.json

  4. Run modify-load-balancer-attributes to enable logging for the selected ELB.

    aws elb modify-load-balancer-attributes
    --region us-west-1
    --load-balancer-name YourLoadBalancerName
    --load-balancer-attributes
    "{\"AccessLog\":{\"Enabled\":true,\"EmitInterval\":60,\"S3BucketName\":\"your-logging-bucket\"}}"