ELBv2 ALB access log disabled
This product is not supported for your selected
Datadog site. (
).
Id: c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621
Cloud Provider: AWS
Platform: CloudFormation
Severity: Medium
Category: Observability
Learn More
Description
Application Load Balancers must have access logging enabled so you retain detailed request records for incident investigation and traffic analysis. Without logs, security incidents are harder to investigate and you may not meet auditing or compliance requirements.
For CloudFormation, check AWS::ElasticLoadBalancingV2::LoadBalancer resources have a LoadBalancerAttributes entry with Key equal to access_logs.s3.enabled and Value set to true (or the string "true" in templates). Resources missing the LoadBalancerAttributes property, or that include access_logs.s3.enabled with Value set to false (or "false"), will be flagged as non-compliant.
Secure CloudFormation example:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: my-alb
Type: application
LoadBalancerAttributes:
- Key: access_logs.s3.enabled
Value: "true"
- Key: access_logs.s3.bucket
Value: my-alb-logs-bucket
- Key: access_logs.s3.prefix
Value: alb-logs/
Compliant Code Examples
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
VPC:
Type: AWS::EC2::VPC::Id
Description: Choose which VPC the Application Load Balancer should be deployed to
Subnets:
Description: Choose which subnets the Application Load Balancer should be deployed to
Type: List<AWS::EC2::Subnet::Id>
SecurityGroup:
Description: Select the Security Group to apply to the Application Load Balancer
Type: AWS::EC2::SecurityGroup::Id
Resources:
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: !Ref EnvironmentName
Subnets: !Ref Subnets
SecurityGroups:
- !Ref SecurityGroup
Tags:
- Key: Name
Value: !Ref EnvironmentName
LoadBalancerAttributes:
- Key: access_logs.s3.enabled
Value: true
{
"Description": "A simple EC2 instance",
"Parameters": {
"EnvironmentName": {
"Description": "An environment name that will be prefixed to resource names",
"Type": "String"
},
"VPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "Choose which VPC the Application Load Balancer should be deployed to"
},
"Subnets": {
"Description": "Choose which subnets the Application Load Balancer should be deployed to",
"Type": "List\u003cAWS::EC2::Subnet::Id\u003e"
},
"SecurityGroup": {
"Description": "Select the Security Group to apply to the Application Load Balancer",
"Type": "AWS::EC2::SecurityGroup::Id"
}
},
"Resources": {
"LoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
"SecurityGroup"
],
"Tags": [
{
"Key": "Name",
"Value": "EnvironmentName"
}
],
"LoadBalancerAttributes": [
{
"Key": "access_logs.s3.enabled",
"Value": true
}
],
"Name": "EnvironmentName",
"Subnets": "Subnets"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
Non-Compliant Code Examples
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple EC2 instance
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
VPC:
Type: AWS::EC2::VPC::Id
Description: Choose which VPC the Application Load Balancer should be deployed to
Subnets:
Description: Choose which subnets the Application Load Balancer should be deployed to
Type: List<AWS::EC2::Subnet::Id>
SecurityGroup:
Description: Select the Security Group to apply to the Application Load Balancer
Type: AWS::EC2::SecurityGroup::Id
Resources:
LoadBalancertest:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: !Ref EnvironmentName
Subnets: !Ref Subnets
SecurityGroups:
- !Ref SecurityGroup
Tags:
- Key: Name
Value: !Ref EnvironmentName
LoadBalancerAttributes:
- Key: access_logs.s3.enabled
Value: false
{
"Parameters": {
"SecurityGroup": {
"Description": "Select the Security Group to apply to the Application Load Balancer",
"Type": "AWS::EC2::SecurityGroup::Id"
},
"EnvironmentName": {
"Description": "An environment name that will be prefixed to resource names",
"Type": "String"
},
"VPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "Choose which VPC the Application Load Balancer should be deployed to"
},
"Subnets": {
"Description": "Choose which subnets the Application Load Balancer should be deployed to",
"Type": "List\u003cAWS::EC2::Subnet::Id\u003e"
}
},
"Resources": {
"LoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "EnvironmentName",
"Subnets": "Subnets",
"SecurityGroups": [
"SecurityGroup"
],
"Tags": [
{
"Key": "Name",
"Value": "EnvironmentName"
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A simple EC2 instance"
}
{
"Description": "A simple EC2 instance",
"Parameters": {
"SecurityGroup": {
"Description": "Select the Security Group to apply to the Application Load Balancer",
"Type": "AWS::EC2::SecurityGroup::Id"
},
"EnvironmentName": {
"Description": "An environment name that will be prefixed to resource names",
"Type": "String"
},
"VPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "Choose which VPC the Application Load Balancer should be deployed to"
},
"Subnets": {
"Description": "Choose which subnets the Application Load Balancer should be deployed to",
"Type": "List\u003cAWS::EC2::Subnet::Id\u003e"
}
},
"Resources": {
"LoadBalancertest": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "EnvironmentName",
"Subnets": "Subnets",
"SecurityGroups": [
"SecurityGroup"
],
"Tags": [
{
"Value": "EnvironmentName",
"Key": "Name"
}
],
"LoadBalancerAttributes": [
{
"Key": "access_logs.s3.enabled",
"Value": false
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
