Traceability Loss - AWS
Need
Enhancement of traceability and logging in AWS instances
Context
• Usage of CloudFormation for Infrastructure as Code (IaC)
• Usage of AWS resources such as EC2, ELB, and S3
Description
1. Non compliant code
Resources:
MyInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0c94855ba95c574c8
InstanceType: t2.micro
Tags:
Value: example-instance...In the below CloudFormation template, we are creating an EC2 instance, a Classic Load Balancer (ELB), and an S3 bucket. However, logging is not enabled for any of these resources. 1. **EC2 Instance**: The instance is created without enabling detailed monitoring (`Monitoring: true`), which limits metric visibility. 2. **ELB**: The Classic Load Balancer does not have `AccessLoggingPolicy` configured, so no logs of incoming requests are captured. 3. **S3 Bucket**: The bucket lacks a `LoggingConfiguration`, meaning access to the bucket and its objects is not tracked. Without logging, malicious activity or anomalies cannot be traced effectively.
2. Steps
• Enable detailed monitoring in EC2 instances by setting `Monitoring` to `true`.
• Configure the ELB with `AccessLoggingPolicy` to capture request logs.
• Add a `LoggingConfiguration` to the S3 bucket to enable server access logging.
3. Secure code example
Resources:
MyInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0c94855ba95c574c8
InstanceType: t2.micro
Monitoring: true
- Key: Name...The below CloudFormation template enables logging for the EC2 instance, ELB, and S3 bucket. 1. **EC2 Instance**: `Monitoring` is set to `true` to enable detailed monitoring. 2. **ELB**: `AccessLoggingPolicy` is added to enable access logs, stored in the specified S3 bucket with a defined prefix and interval. 3. **S3 Bucket**: `LoggingConfiguration` is added to send access logs to a target bucket with a prefix.
References
• 400. Traceability Loss - AWS