Terraform Elb Access Logging Disabled
Description
Detects AWS Elastic Load Balancers (Classic ELB or Application Load Balancer) that have access logging disabled. Missing access logging on load balancers prevents tracking of client requests and detecting potential security incidents or unauthorized access attempts.
Detection Strategy
• Checks Terraform configurations for 'aws_elb' or 'aws_lb' resource blocks
• Verifies if access logging configuration is present in the resource block
• Reports a vulnerability if logging attributes are missing or explicitly disabled
Vulnerable code example
resource "aws_elb" "vulnerable_elb" {
name = "demo-elb"
# Security issue: Access logs disabled, prevents audit trail of load balancer traffic
access_logs {
bucket = "log-bucket"
enabled = false # Vulnerable: Disabling access logging removes ability to monitor traffic
}...✅ Secure code example
resource "aws_elb" "secure_elb" {
name = "demo-elb"
# Security: Enable access logs to maintain audit trail of load balancer traffic
access_logs {
bucket = "log-bucket"
enabled = true # Enable logging for security monitoring and compliance
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.