AWSOverview
Overview
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns, troubleshoot issues, and take incident response actions.
Remediation guidance
Enable access logging for the affected load balancer and send logs to an S3 bucket in the same AWS Region.
AWS CLI
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn {{asset.idFromProvider}} \
--attributes Key=access_logs.s3.enabled,Value=true Key=access_logs.s3.bucket,Value={{manual.logBucket}} Key=access_logs.s3.prefix,Value={{manual.logPrefix}}
Validation
aws elbv2 describe-load-balancer-attributes \
--load-balancer-arn {{asset.idFromProvider}}
Notes:
- The S3 bucket must be in the same Region as the load balancer.
- Ensure the bucket policy allows Elastic Load Balancing to write logs.
References
- https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
- https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html
Multiple Remediation Paths
AWS
SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.
PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Access Logs is Enabled for ELB
Connectors
Covered asset types
Expected check: eq []
{loadBalancers(where:{type:"application",hasLoadBalancerAttribute_NONE:{key:"access_logs.s3.enabled",value:"true"}}){...AssetFragment}}
