Elastic Load Balancers have access logs configured to deliver request metadata (client IPs, paths, status, TLS details) to Amazon S3
Risk
Without ELB access logs, you lose visibility into edge traffic, reducing detection of reconnaissance, brute-force, and exploitation attempts. This hampers forensics and incident timelines, risking undetected data exfiltration (confidentiality), untraceable changes (integrity), and delayed response to outages or DDoS (availability).
prowler aws --checks elb_logging_enabled
Recommendation
Enable access logs to Amazon S3 (access_logs.s3.enabled=true). Apply least privilege bucket policies, encrypt objects, and restrict read access. Define lifecycle retention and centralize analysis. Monitor for delivery failures and alert on anomalies. Standardize across all load balancers via IaC as part of defense in depth.
Remediation
aws elb modify-load-balancer-attributes --load-balancer-name <lb_name> --load-balancer-attributes AccessLog={Enabled=true,S3BucketName=<bucket_name>}
- In the AWS Console, go to EC2 > Load Balancers
- Select the load balancer and choose Edit attributes (or the Attributes tab)
- Turn on Access logs
- Enter the S3 URI (e.g., s3://<bucket_name>)
- Click Save
Source Code
Resource Type
AwsElbLoadBalancer
References
- https://docs.aws.amazon.com/elasticloadbalancing/latest/network/enable-access-logs.html
- https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/ElasticBeanstalk/enable-access-logs.html
- https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html