Findings
AWS ALB logging is not enabled
Updated: June 19, 2025
Description
The Application Load Balancer (ALB) is not configured to log access logs.
Access logs are crucial for monitoring, troubleshooting, and auditing traffic patterns and application behavior. Without these logs, it becomes challenging to detect anomalies, diagnose issues, and maintain a comprehensive record of incoming and outgoing requests. This lack of visibility can lead to undetected security incidents and operational inefficiencies. The absence of access logging reduces visibility into application activity, making it difficult to identify malicious traffic, troubleshoot errors, or perform forensic investigations during security incidents. It also limits an organization's ability to demonstrate compliance with regulatory and security standards that require log retention and monitoring.
Example Attack
An attacker floods the ALB with malicious requests in an attempt to disrupt application availability (DoS attack). Without access logging, security teams are unable to trace the origin of the attack, analyze patterns in the malicious traffic, or determine the extent of the impact. If access logging were enabled, the logs would capture critical details such as source IP addresses, request paths, and timestamps, allowing teams to respond effectively and block suspicious traffic.
Remediation
Enabling access logging improves visibility into application usage patterns, assists in identifying potential security threats, and simplifies compliance with audit requirements. It also helps diagnose performance bottlenecks and ensures proactive maintenance of the application environment.
Security Frameworks
When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.
- Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];
- Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
- Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];
- Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
- Review and update the event types selected for logging [Assignment: organization-defined frequency].
Ensure that audit records contain information that establishes the following:
- What type of event occurred;
- When the event occurred;
- Where the event occurred;
- Source of the event;
- Outcome of the event; and
- Identity of any individuals, subjects, or objects/entities associated with the event.
Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].
- Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];
- Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and
- Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
- Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
- Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
- Ongoing control assessments in accordance with the continuous monitoring strategy;
- Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
- Correlation and analysis of information generated by control assessments and monitoring;
- Response actions to address results of the analysis of control assessment and monitoring information; and
- Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
(a) Detect and deny outgoing communications traffic posing a threat to external systems; and
(b) Audit the identity of internal users associated with denied communications.
Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].