Disabling logging of this component can lead to missing traceability in case of a security incident.
Logging allows operational and security teams to get detailed and real-time feedback on an information system’s events. The logging coverage
enables them to quickly react to events, ranging from the most benign bugs to the most impactful security incidents, such as intrusions.
Apart from security detection, logging capabilities also directly influence future digital forensic analyses. For example, detailed logging will
allow investigators to establish a timeline of the actions perpetrated by an attacker.
Ask Yourself Whether
- This component is essential for the information system infrastructure.
- This component is essential for mission-critical functions.
- Compliance policies require this component to be monitored.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Enable the logging capabilities of this component. Depending on the component, new permissions might be required by the logging storage
components.
You should consult the official documentation to enable logging for the impacted components. For example, AWS Application Load
Balancer Access Logs require an additional
bucket policy.
Sensitive Code Example
For Amazon S3 access requests:
resource "aws_s3_bucket" "example" { # Sensitive
bucket = "example"
}
For Amazon API Gateway stages:
resource "aws_api_gateway_stage" "example" { # Sensitive
xray_tracing_enabled = false # Sensitive
}
For Amazon MSK Broker logs:
resource "aws_msk_cluster" "example" {
cluster_name = "example"
kafka_version = "2.7.1"
number_of_broker_nodes = 3
logging_info {
broker_logs { # Sensitive
firehose {
enabled = false
}
s3 {
enabled = false
}
}
}
}
For Amazon MQ Brokers:
resource "aws_mq_broker" "example" {
logs { # Sensitive
audit = false
general = false
}
}
For Amazon Amazon DocumentDB:
resource "aws_docdb_cluster" "example" { # Sensitive
cluster_identifier = "example"
}
For Azure App Services:
resource "azurerm_app_service" "example" {
logs {
application_logs {
file_system_level = "Off" # Sensitive
azure_blob_storage {
level = "Off" # Sensitive
}
}
}
}
For GCP VPC Subnetwork:
resource "google_compute_subnetwork" "example" { # Sensitive
name = "example"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.example.id
}
For GCP SQL Database
Instance:
resource "google_sql_database_instance" "example" {
name = "example"
settings { # Sensitive
tier = "db-f1-micro"
ip_configuration {
require_ssl = true
ipv4_enabled = true
}
}
}
For GCP Kubernetes Engine (GKE)
cluster:
resource "google_container_cluster" "example" {
name = "example"
logging_service = "none" # Sensitive
}
Compliant Solution
For Amazon S3 access requests:
resource "aws_s3_bucket" "example-logs" {
bucket = "example_logstorage"
acl = "log-delivery-write"
}
resource "aws_s3_bucket" "example" {
bucket = "example"
logging { # AWS provider <= 3
target_bucket = aws_s3_bucket.example-logs.id
target_prefix = "log/example"
}
}
resource "aws_s3_bucket_logging" "example" { # AWS provider >= 4
bucket = aws_s3_bucket.example.id
target_bucket = aws_s3_bucket.example-logs.id
target_prefix = "log/example"
}
For Amazon API Gateway stages:
resource "aws_api_gateway_stage" "example" {
xray_tracing_enabled = true
access_log_settings {
destination_arn = "arn:aws:logs:eu-west-1:123456789:example"
format = "..."
}
}
For Amazon MSK Broker logs:
resource "aws_msk_cluster" "example" {
cluster_name = "example"
kafka_version = "2.7.1"
number_of_broker_nodes = 3
logging_info {
broker_logs {
firehose {
enabled = false
}
s3 {
enabled = true
bucket = "example"
prefix = "log/msk-"
}
}
}
}
For Amazon MQ Brokers, enable
audit or general:
resource "aws_mq_broker" "example" {
logs {
audit = true
general = true
}
}
For Amazon Amazon DocumentDB:
resource "aws_docdb_cluster" "example" {
cluster_identifier = "example"
enabled_cloudwatch_logs_exports = ["audit"]
}
For Azure App Services:
resource "azurerm_app_service" "example" {
logs {
http_logs {
file_system {
retention_in_days = 90
retention_in_mb = 100
}
}
application_logs {
file_system_level = "Error"
azure_blob_storage {
retention_in_days = 90
level = "Error"
}
}
}
}
For GCP VPC Subnetwork:
resource "google_compute_subnetwork" "example" {
name = "example"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.example.id
log_config {
aggregation_interval = "INTERVAL_10_MIN"
flow_sampling = 0.5
metadata = "INCLUDE_ALL_METADATA"
}
}
For GCP SQL Database
Instance:
resource "google_sql_database_instance" "example" {
name = "example"
settings {
ip_configuration {
require_ssl = true
ipv4_enabled = true
}
database_flags {
name = "log_connections"
value = "on"
}
database_flags {
name = "log_disconnections"
value = "on"
}
database_flags {
name = "log_checkpoints"
value = "on"
}
database_flags {
name = "log_lock_waits"
value = "on"
}
}
}
For GCP Kubernetes Engine (GKE)
cluster:
resource "google_container_cluster" "example" {
name = "example"
logging_service = "logging.googleapis.com/kubernetes"
}
See
