For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-elb-v2-alb-access-log-disabled.md.
A documentation index is available at /llms.txt.
Application Load Balancers must have access logging enabled so you retain detailed request records for incident investigation and traffic analysis. Without logs, security incidents are harder to investigate and you may not meet auditing or compliance requirements.
For CloudFormation, check AWS::ElasticLoadBalancingV2::LoadBalancer resources have a LoadBalancerAttributes entry with Key equal to access_logs.s3.enabled and Value set to true (or the string "true" in templates). Resources missing the LoadBalancerAttributes property, or that include access_logs.s3.enabled with Value set to false (or "false"), will be flagged as non-compliant.
AWSTemplateFormatVersion:"2010-09-09"Description:A simple EC2 instanceParameters:EnvironmentName:Description:An environment name that will be prefixed to resource namesType:StringVPC:Type:AWS::EC2::VPC::IdDescription:Choose which VPC the Application Load Balancer should be deployed toSubnets:Description:Choose which subnets the Application Load Balancer should be deployed toType:List<AWS::EC2::Subnet::Id>SecurityGroup:Description:Select the Security Group to apply to the Application Load BalancerType:AWS::EC2::SecurityGroup::IdResources:LoadBalancer:Type:AWS::ElasticLoadBalancingV2::LoadBalancerProperties:Name:!Ref EnvironmentNameSubnets:!Ref SubnetsSecurityGroups:- !Ref SecurityGroupTags:- Key:NameValue:!Ref EnvironmentNameLoadBalancerAttributes:- Key:access_logs.s3.enabledValue:true
{"Description":"A simple EC2 instance","Parameters":{"EnvironmentName":{"Description":"An environment name that will be prefixed to resource names","Type":"String"},"VPC":{"Type":"AWS::EC2::VPC::Id","Description":"Choose which VPC the Application Load Balancer should be deployed to"},"Subnets":{"Description":"Choose which subnets the Application Load Balancer should be deployed to","Type":"List\u003cAWS::EC2::Subnet::Id\u003e"},"SecurityGroup":{"Description":"Select the Security Group to apply to the Application Load Balancer","Type":"AWS::EC2::SecurityGroup::Id"}},"Resources":{"LoadBalancer":{"Type":"AWS::ElasticLoadBalancingV2::LoadBalancer","Properties":{"SecurityGroups":["SecurityGroup"],"Tags":[{"Key":"Name","Value":"EnvironmentName"}],"LoadBalancerAttributes":[{"Key":"access_logs.s3.enabled","Value":true}],"Name":"EnvironmentName","Subnets":"Subnets"}}},"AWSTemplateFormatVersion":"2010-09-09"}
Non-Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Description:A simple EC2 instanceParameters:EnvironmentName:Description:An environment name that will be prefixed to resource namesType:StringVPC:Type:AWS::EC2::VPC::IdDescription:Choose which VPC the Application Load Balancer should be deployed toSubnets:Description:Choose which subnets the Application Load Balancer should be deployed toType:List<AWS::EC2::Subnet::Id>SecurityGroup:Description:Select the Security Group to apply to the Application Load BalancerType:AWS::EC2::SecurityGroup::IdResources:LoadBalancer:Type:AWS::ElasticLoadBalancingV2::LoadBalancerProperties:Name:!Ref EnvironmentNameSubnets:!Ref SubnetsSecurityGroups:- !Ref SecurityGroupTags:- Key:NameValue:!Ref EnvironmentName
AWSTemplateFormatVersion:"2010-09-09"Description:A simple EC2 instanceParameters:EnvironmentName:Description:An environment name that will be prefixed to resource namesType:StringVPC:Type:AWS::EC2::VPC::IdDescription:Choose which VPC the Application Load Balancer should be deployed toSubnets:Description:Choose which subnets the Application Load Balancer should be deployed toType:List<AWS::EC2::Subnet::Id>SecurityGroup:Description:Select the Security Group to apply to the Application Load BalancerType:AWS::EC2::SecurityGroup::IdResources:LoadBalancertest:Type:AWS::ElasticLoadBalancingV2::LoadBalancerProperties:Name:!Ref EnvironmentNameSubnets:!Ref SubnetsSecurityGroups:- !Ref SecurityGroupTags:- Key:NameValue:!Ref EnvironmentNameLoadBalancerAttributes:- Key:access_logs.s3.enabledValue:false
{"Parameters":{"SecurityGroup":{"Description":"Select the Security Group to apply to the Application Load Balancer","Type":"AWS::EC2::SecurityGroup::Id"},"EnvironmentName":{"Description":"An environment name that will be prefixed to resource names","Type":"String"},"VPC":{"Type":"AWS::EC2::VPC::Id","Description":"Choose which VPC the Application Load Balancer should be deployed to"},"Subnets":{"Description":"Choose which subnets the Application Load Balancer should be deployed to","Type":"List\u003cAWS::EC2::Subnet::Id\u003e"}},"Resources":{"LoadBalancer":{"Type":"AWS::ElasticLoadBalancingV2::LoadBalancer","Properties":{"Name":"EnvironmentName","Subnets":"Subnets","SecurityGroups":["SecurityGroup"],"Tags":[{"Key":"Name","Value":"EnvironmentName"}]}}},"AWSTemplateFormatVersion":"2010-09-09","Description":"A simple EC2 instance"}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
