How to enable logging for elastic load balancer using AWS CLI

Priyam Singh

~ 2 min read

Logging requests to ELB endpoints is a helpful way of detecting and investigating potential attacks, malicious activity, or misuse of backend resources. Logs can be sent to S3 and processed for further analysis.


Elastic Load Balancers (ELBs) need to have logging enabled to ensure the logs are available for debugging, troubleshooting, and incident response activities. Access logs contain information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses.

Each access log file is automatically encrypted using SSE-S3 before it is stored in your S3 bucket and decrypted when you access it. You do not need to take any action; the encryption and decryption is performed transparently. Each log file is encrypted with a unique key, which is itself encrypted with a master key that is regularly rotated.

Logging allows for an audit trail to be created in the event of an attack or malicious activity being detected. When logging is not enabled, this ability is absent which could allow potential attackers to hide within the traffic. This could allow attacks to go undetected, causing further loss in data and access.

Enable Access Logging for ELB using CLI

  1. Create the S3 bucket that will store the ELB log files

    aws s3api create-bucket --region <region_name> --bucket <bucket_name>

    create bucket s3

  2. Attach the policy document that grants the ELB permission to write to the newly created bucket

    aws s3api put-bucket-policy --bucket <bucket_name> --policy <policy_file_name>

    create bucket s3

  3. To enable access logging for the selected Elastic Load Balancer

    aws elbv2 modify-load-balancer-attributes --load-balancer-arn <load_balancer_arn> --attributes Key=access_logs.s3.enabled,Value=true Key=access_logs.s3.bucket,Value=<bucket_name> Key=access_logs.s3.prefix,Value=<pefix> Key=idle_timeout.timeout_seconds,Value=60

    create bucket s3