Disabling logging of this component can lead to missing traceability in case of a security incident.
Logging allows operational and security teams to get detailed and real-time feedback on an information system’s events. The logging coverage
enables them to quickly react to events, ranging from the most benign bugs to the most impactful security incidents, such as intrusions.
Apart from security detection, logging capabilities also directly influence future digital forensic analyses. For example, detailed logging will
allow investigators to establish a timeline of the actions perpetrated by an attacker.
Ask Yourself Whether
- This component is essential for the information system infrastructure.
- This component is essential for mission-critical functions.
- Compliance policies require this component to be monitored.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Enable the logging capabilities of this component. Depending on the component, new permissions might be required by the logging storage
components.
You should consult the official documentation to enable logging for the impacted components. For example, AWS Application Load
Balancer Access Logs require an additional
bucket policy.
Sensitive Code Example
For Amazon S3 access requests:
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket' # Sensitive
Properties:
BucketName: "mynoncompliantbucket"
For Amazon API Gateway stages:
AWSTemplateFormatVersion: 2010-09-09
Resources:
Prod: # Sensitive
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
Description: Prod Stage
TracingEnabled: false # Sensitive
For Amazon Neptune clusters:
AWSTemplateFormatVersion: 2010-09-09
Resources:
Cluster:
Type: AWS::Neptune::DBCluster
Properties:
EnableCloudwatchLogsExports: [] # Sensitive
For Amazon MSK broker logs:
AWSTemplateFormatVersion: 2010-09-09
Resources:
SensitiveCluster:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: Sensitive Cluster
LoggingInfo:
BrokerLogs: # Sensitive
CloudWatchLogs:
Enabled: false
LogGroup: CWLG
Firehose:
DeliveryStream: DS
Enabled: false
For Amazon DocDB:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
DocDBOmittingLogs: # Sensitive
Type: "AWS::DocDB::DBCluster"
Properties:
DBClusterIdentifier : "DB Without Logs"
For Amazon MQ:
AWSTemplateFormatVersion: 2010-09-09
Resources:
Broker:
Type: AWS::AmazonMQ::Broker
Properties:
Logs: # Sensitive
Audit: false
General: false
For Amazon Redshift:
AWSTemplateFormatVersion: 2010-09-09
Resources:
ClusterOmittingLogging: # Sensitive
Type: "AWS::Redshift::Cluster"
Properties:
DBName: "Redshift Warehouse Cluster"
For Amazon OpenSearch service or Amazon Elasticsearch service:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
OpenSearchServiceDomain:
Type: 'AWS::OpenSearchService::Domain'
Properties:
LogPublishingOptions: # Sensitive
ES_APPLICATION_LOGS:
CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-application-logs'
Enabled: true
INDEX_SLOW_LOGS:
CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-index-slow-logs'
Enabled: true
For Amazon CloudFront distributions:
AWSTemplateFormatVersion: 2010-09-09
Resources:
CloudFrontDistribution: # Sensitive
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
DefaultRootObject: "index.html"
For Amazon Elastic Load Balancing:
AWSTemplateFormatVersion: 2010-09-09
Resources:
LoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AccessLoggingPolicy:
Enabled: false # Sensitive
For Amazon Load Balancing (v2):
AWSTemplateFormatVersion: 2010-09-09
Resources:
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: CompliantLoadBalancer
LoadBalancerAttributes:
- Key: "access_logs.s3.enabled"
Value: false # Sensitive
Compliant Solution
For Amazon S3 access requests:
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "mycompliantbucket"
LoggingConfiguration:
DestinationBucketName: !Ref S3LoggingBucket
LogFilePrefix: testing-logs
S3LoggingBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "mycompliantloggingbucket"
S3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3LoggingBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:PutObject'
Effect: Allow
Principal:
Service: logging.s3.amazonaws.com
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3LoggingBucket
- /*
Condition:
ArnLike:
'aws:SourceArn': !GetAtt
- S3Bucket
- Arn
StringEquals:
'aws:SourceAccount': !Sub '${AWS::AccountId}'
For Amazon API Gateway stages:
AWSTemplateFormatVersion: 2010-09-09
Resources:
Prod:
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
Description: Prod Stage
TracingEnabled: true
AccessLogSetting:
DestinationArn: "arn:aws:logs:eu-west-1:123456789:test"
Format: "..."
For Amazon Neptune clusters:
AWSTemplateFormatVersion: 2010-09-09
Resources:
Cluster:
Type: AWS::Neptune::DBCluster
Properties:
EnableCloudwatchLogsExports: ["audit"]
For Amazon MSK broker logs:
AWSTemplateFormatVersion: 2010-09-09
Resources:
SensitiveCluster:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: Sensitive Cluster
LoggingInfo:
BrokerLogs:
Firehose:
DeliveryStream: DS
Enabled: true
S3:
Bucket: Broker Logs
Enabled: true
Prefix: "logs/msk-brokers-"
For Amazon DocDB:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
DocDBWithLogs:
Type: "AWS::DocDB::DBCluster"
Properties:
DBClusterIdentifier : "DB With Logs"
EnableCloudwatchLogsExports:
- audit
For Amazon MQ enable Audit
or General
:
AWSTemplateFormatVersion: 2010-09-09
Resources:
Broker:
Type: AWS::AmazonMQ::Broker
Properties:
Logs:
Audit: true
General: true
For Amazon Redshift:
AWSTemplateFormatVersion: 2010-09-09
Resources:
CompliantCluster:
Type: "AWS::Redshift::Cluster"
Properties:
DBName: "Redshift Warehouse Cluster"
LoggingProperties:
BucketName: "Infra Logs"
S3KeyPrefix: "log/redshift-"
For Amazon OpenSearch service, or Amazon Elasticsearch service:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
OpenSearchServiceDomain:
Type: 'AWS::OpenSearchService::Domain'
Properties:
LogPublishingOptions:
AUDIT_LOGS:
CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-audit-logs'
Enabled: true
For Amazon CloudFront distributions:
AWSTemplateFormatVersion: 2010-09-09
Resources:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
DefaultRootObject: "index.html"
Logging:
Bucket: "mycompliantbucket"
Prefix: "log/cloudfront-"
For Amazon Elastic Load Balancing:
AWSTemplateFormatVersion: 2010-09-09
Resources:
LoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AccessLoggingPolicy:
Enabled: true
S3BucketName: mycompliantbucket
S3BucketPrefix: "log/loadbalancer-"
For Amazon Load Balancing (v2):
AWSTemplateFormatVersion: 2010-09-09
Resources:
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: CompliantLoadBalancer
LoadBalancerAttributes:
- Key: "access_logs.s3.enabled"
Value: true
- Key: "access_logs.s3.bucket"
Value: "mycompliantbucket"
- Key: "access_logs.s3.prefix"
Value: "log/elbv2-"
See