This product is not supported for your selected
Datadog site. (
).
Id: 20018359-6fd7-4d05-ab26-d4dffccbdf79
Cloud Provider: aws
Framework: Terraform
Severity: Medium
Category: Observability
Learn More
Description
Elastic Load Balancers (ELBs) should have access logging enabled by setting the enabled attribute to true within the access_logs block. Disabling ELB access logs (for example, with enabled = false) can make it difficult to investigate errors, identify suspicious activity, or audit access to applications behind the load balancer. Without these logs, incident response and troubleshooting are significantly hindered, increasing the risk of undetected security incidents or prolonged outages.
Compliant Code Examples
module "elb_http" {
source = "terraform-aws-modules/elb/aws"
version = "~> 2.0"
name = "elb-example"
subnets = ["subnet-12345678", "subnet-87654321"]
security_groups = ["sg-12345678"]
internal = false
listener = [
{
instance_port = 80
instance_protocol = "HTTP"
lb_port = 80
lb_protocol = "HTTP"
},
{
instance_port = 8080
instance_protocol = "http"
lb_port = 8080
lb_protocol = "http"
ssl_certificate_id = "arn:aws:acm:eu-west-1:235367859451:certificate/6c270328-2cd5-4b2d-8dfd-ae8d0004ad31"
},
]
health_check = {
target = "HTTP:80/"
interval = 30
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 5
}
access_logs = {
bucket = "foo"
bucket_prefix = "bar"
interval = 60
}
// ELB attachments
number_of_instances = 2
instances = ["i-06ff41a77dfb5349d", "i-4906ff41a77dfb53d"]
tags = {
Owner = "user"
Environment = "dev"
}
}
resource "aws_elb" "negative2" {
name = "foobar-terraform-elb"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
access_logs {
bucket = "foo"
bucket_prefix = "bar"
interval = 60
enabled = true
}
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 443
lb_protocol = "https"
ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
}
health_check {
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 3
target = "HTTP:8000/"
interval = 30
}
instances = [aws_instance.foo.id]
cross_zone_load_balancing = true
idle_timeout = 400
connection_draining = true
connection_draining_timeout = 400
tags = {
Name = "foobar-terraform-elb"
}
}
resource "aws_elb" "negative1" {
name = "foobar-terraform-elb"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
access_logs {
bucket = "foo"
bucket_prefix = "bar"
interval = 60
}
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 443
lb_protocol = "https"
ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
}
health_check {
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 3
target = "HTTP:8000/"
interval = 30
}
instances = [aws_instance.foo.id]
cross_zone_load_balancing = true
idle_timeout = 400
connection_draining = true
connection_draining_timeout = 400
tags = {
Name = "foobar-terraform-elb"
}
}
Non-Compliant Code Examples
resource "aws_elb" "postive2" {
name = "foobar-terraform-elb"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 443
lb_protocol = "https"
ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
}
health_check {
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 3
target = "HTTP:8000/"
interval = 30
}
instances = [aws_instance.foo.id]
cross_zone_load_balancing = true
idle_timeout = 400
connection_draining = true
connection_draining_timeout = 400
tags = {
Name = "foobar-terraform-elb"
}
}
module "elb_http" {
source = "terraform-aws-modules/elb/aws"
version = "~> 2.0"
name = "elb-example"
subnets = ["subnet-12345678", "subnet-87654321"]
security_groups = ["sg-12345678"]
internal = false
listener = [
{
instance_port = 80
instance_protocol = "HTTP"
lb_port = 80
lb_protocol = "HTTP"
},
{
instance_port = 8080
instance_protocol = "http"
lb_port = 8080
lb_protocol = "http"
ssl_certificate_id = "arn:aws:acm:eu-west-1:235367859451:certificate/6c270328-2cd5-4b2d-8dfd-ae8d0004ad31"
},
]
health_check = {
target = "HTTP:80/"
interval = 30
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 5
}
// ELB attachments
number_of_instances = 2
instances = ["i-06ff41a77dfb5349d", "i-4906ff41a77dfb53d"]
tags = {
Owner = "user"
Environment = "dev"
}
}
module "elb_http" {
source = "terraform-aws-modules/elb/aws"
version = "~> 2.0"
name = "elb-example"
subnets = ["subnet-12345678", "subnet-87654321"]
security_groups = ["sg-12345678"]
internal = false
listener = [
{
instance_port = 80
instance_protocol = "HTTP"
lb_port = 80
lb_protocol = "HTTP"
},
{
instance_port = 8080
instance_protocol = "http"
lb_port = 8080
lb_protocol = "http"
ssl_certificate_id = "arn:aws:acm:eu-west-1:235367859451:certificate/6c270328-2cd5-4b2d-8dfd-ae8d0004ad31"
},
]
health_check = {
target = "HTTP:80/"
interval = 30
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 5
}
access_logs = {
bucket = "foo"
bucket_prefix = "bar"
interval = 60
enabled = false
}
// ELB attachments
number_of_instances = 2
instances = ["i-06ff41a77dfb5349d", "i-4906ff41a77dfb53d"]
tags = {
Owner = "user"
Environment = "dev"
}
}
