How to enable logging for elastic load balancer using AWS CLI

Introduction

Elastic Load Balancers (ELBs) need to have logging enabled to ensure the logs are available for debugging, troubleshooting, and incident response activities. Access logs contain information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses.

Each access log file is automatically encrypted using SSE-S3 before it is stored in your S3 bucket and decrypted when you access it. You do not need to take any action; the encryption and decryption is performed transparently. Each log file is encrypted with a unique key, which is itself encrypted with a master key that is regularly rotated.

Logging allows for an audit trail to be created in the event of an attack or malicious activity being detected. When logging is not enabled, this ability is absent which could allow potential attackers to hide within the traffic. This could allow attacks to go undetected, causing further loss in data and access.

Enable Access Logging for ELB using CLI

1. Create the S3 bucket that will store the ELB log files

   aws s3api create-bucket --region <region_name> --bucket <bucket_name>

   

2. Attach the policy document that grants the ELB permission to write to the newly created bucket

   aws s3api put-bucket-policy --bucket <bucket_name> --policy <policy_file_name>

   

3. To enable access logging for the selected Elastic Load Balancer

   aws elbv2 modify-load-balancer-attributes --load-balancer-arn <load_balancer_arn> --attributes Key=access_logs.s3.enabled,Value=true Key=access_logs.s3.bucket,Value=<bucket_name> Key=access_logs.s3.prefix,Value=<pefix> Key=idle_timeout.timeout_seconds,Value=60