Enhancement of traceability and logging in AWS instances
resource "aws_instance" "example" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
tags = {
Name = "example-instance"
}
}
resource "aws_elb" "example" {
name = "example-elb"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
}
resource "aws_s3_bucket" "bucket" {
bucket = "bucket"
acl = "private"
}
In the above Terraform code, we are creating an AWS EC2 instance, an Elastic Load Balancer (ELB) and an S3 bucket. However, there is no logging enabled for any of these resources.
1. EC2 Instance: The EC2 instance is created using the
aws_instance
resource. The
ami
and
instance_type
properties are set, and a tag is assigned to the instance. However, there is no logging property set for this instance, which means that no log files are being created for this EC2 instance.
2. ELB: The ELB is created using the
aws_elb
resource. It is set to listen on port 80, and is associated with three availability zones. However, like the EC2 instance, there is no logging property set for this ELB.
3. S3 Bucket: The S3 bucket is created using the
aws_s3_bucket
resource. The bucket is set to private, but again, there is no logging enabled for this bucket.
The absence of logging in these resources means that it is impossible to identify and trace malicious actions or anomalous behaviors. In addition, even if logging was enabled, the log files do not have a detailed level of information, which limits their usefulness.
resource "aws_instance" "example" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
tags = {
Name = "example-instance"
}
monitoring = true
}
resource "aws_elb" "example" {
name = "example-elb"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
access_logs {
bucket = "my-access-logs-bucket"
enabled = true
}
}
resource "aws_s3_bucket" "bucket" {
bucket = "bucket"
acl = "private"
logging {
target_bucket = "my-log-bucket"
target_prefix = "log/"
}
}
The above code fixes the vulnerability by enabling logging for EC2, ELB, and S3 instances.
1. For the EC2 instance, the
monitoring
property is set to
true
. This enables detailed monitoring, which provides additional instance metrics and logs.
2. For the ELB instance, the
access_logs
block is added. This block enables access logs for the load balancer and specifies the S3 bucket where the logs will be stored.
3. For the S3 bucket, the
logging
block is added. This block enables server access logging for the bucket. The logs are stored in the specified target bucket with the specified prefix.