logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Traceability Loss - AWS - Cloudformation

Need

Enhancement of traceability and logging in AWS instances

Context

  1. Usage of CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS resources such as EC2, ELB, and S3

Description

Insecure Code Example

Resources:
  MyInstance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      Tags:
        - Key: Name
          Value: example-instance

  MyELB:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      Listeners:
        - LoadBalancerPort: 80
          InstancePort: 80
          Protocol: HTTP
      AvailabilityZones:
        - us-west-2a
        - us-west-2b
        - us-west-2c

  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private

In the below CloudFormation template, we are creating an EC2 instance, a Classic Load Balancer (ELB), and an S3 bucket. However, logging is not enabled for any of these resources. 1. **EC2 Instance**: The instance is created without enabling detailed monitoring (`Monitoring: true`), which limits metric visibility. 2. **ELB**: The Classic Load Balancer does not have `AccessLoggingPolicy` configured, so no logs of incoming requests are captured. 3. **S3 Bucket**: The bucket lacks a `LoggingConfiguration`, meaning access to the bucket and its objects is not tracked. Without logging, malicious activity or anomalies cannot be traced effectively.

Steps

  1. Enable detailed monitoring in EC2 instances by setting `Monitoring` to `true`.
  2. Configure the ELB with `AccessLoggingPolicy` to capture request logs.
  3. Add a `LoggingConfiguration` to the S3 bucket to enable server access logging.

Secure Code Example

Resources:
  MyInstance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      Monitoring: true
      Tags:
        - Key: Name
          Value: example-instance

  MyELB:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      Listeners:
        - LoadBalancerPort: 80
          InstancePort: 80
          Protocol: HTTP
      AvailabilityZones:
        - us-west-2a
        - us-west-2b
        - us-west-2c
      AccessLoggingPolicy:
        Enabled: true
        S3BucketName: my-access-logs-bucket
        EmitInterval: 5
        S3BucketPrefix: elb-logs/

  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      LoggingConfiguration:
        DestinationBucketName: my-log-bucket
        LogFilePrefix: log/

The below CloudFormation template enables logging for the EC2 instance, ELB, and S3 bucket. 1. **EC2 Instance**: `Monitoring` is set to `true` to enable detailed monitoring. 2. **ELB**: `AccessLoggingPolicy` is added to enable access logs, stored in the specified S3 bucket with a defined prefix and interval. 3. **S3 Bucket**: `LoggingConfiguration` is added to send access logs to a target bucket with a prefix.

References

  • 400 - Traceability Loss - AWS

    • Last updated

    2025/04/04