Traceability Loss - AWS - cloudformation

Traceability Loss - AWS - cloudformation

Need

Enhancement of traceability and logging in AWS instances

Context

  • Usage of CloudFormation for Infrastructure as Code (IaC)
  • Usage of AWS resources such as EC2, ELB, and S3

Description

Non compliant code

        Resources:
  MyInstance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      Tags:
        - Key: Name
          Value: example-instance

  MyELB:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      Listeners:
        - LoadBalancerPort: 80
          InstancePort: 80
          Protocol: HTTP
      AvailabilityZones:
        - us-west-2a
        - us-west-2b
        - us-west-2c

  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private

In the below CloudFormation template, we are creating an EC2 instance, a Classic Load Balancer (ELB), and an S3 bucket. However, logging is not enabled for any of these resources.

1. EC2 Instance: The instance is created without enabling detailed monitoring ( Monitoring: true), which limits metric visibility.

2. ELB: The Classic Load Balancer does not have AccessLoggingPolicy configured, so no logs of incoming requests are captured.

3. S3 Bucket: The bucket lacks a LoggingConfiguration, meaning access to the bucket and its objects is not tracked.

Without logging, malicious activity or anomalies cannot be traced effectively.

Steps

  • Enable detailed monitoring in EC2 instances by setting `Monitoring` to `true`.
  • Configure the ELB with `AccessLoggingPolicy` to capture request logs.
  • Add a `LoggingConfiguration` to the S3 bucket to enable server access logging.

Compliant code

        Resources:
  MyInstance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      Monitoring: true
      Tags:
        - Key: Name
          Value: example-instance

  MyELB:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      Listeners:
        - LoadBalancerPort: 80
          InstancePort: 80
          Protocol: HTTP
      AvailabilityZones:
        - us-west-2a
        - us-west-2b
        - us-west-2c
      AccessLoggingPolicy:
        Enabled: true
        S3BucketName: my-access-logs-bucket
        EmitInterval: 5
        S3BucketPrefix: elb-logs/

  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      LoggingConfiguration:
        DestinationBucketName: my-log-bucket
        LogFilePrefix: log/

The below CloudFormation template enables logging for the EC2 instance, ELB, and S3 bucket.

1. EC2 Instance: Monitoring is set to true to enable detailed monitoring.

2. ELB: AccessLoggingPolicy is added to enable access logs, stored in the specified S3 bucket with a defined prefix and interval.

3. S3 Bucket: LoggingConfiguration is added to send access logs to a target bucket with a prefix.

References