terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled
semgrep
Author
unknown
Download Count*
License
ELB has no logging. Missing logs can cause missing important event information.
Run Locally
Run in CI
Defintion
rules:
- id: aws-elb-access-logs-not-enabled
patterns:
- pattern-either:
- pattern: |
resource "aws_lb" $ANYTHING {
...
}
- pattern: |
resource "aws_alb" $ANYTHING {
...
}
- pattern-not-inside: |
resource $ANYLB $ANYTHING {
...
access_logs {
...
enabled = true
...
}
...
}
- pattern-not-inside: |
resource $ANYLB $ANYTHING {
...
subnet_mapping {
...
}
...
}
message: ELB has no logging. Missing logs can cause missing important event
information.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-326: Inadequate Encryption Strength"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-elb-access-logs-not-enabled.tf
# pass
resource "aws_lb" "enabled" {
load_balancer_type = "network"
name = "nlb"
subnets = var.public_subnet_ids
access_logs {
bucket = var.bucket_name
enabled = true
}
}
resource "aws_alb" "enabled" {
load_balancer_type = "application"
name = "alb"
subnets = var.public_subnet_ids
access_logs {
bucket = var.bucket_name
enabled = true
}
}
# failure
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_lb" "default" {
load_balancer_type = "network"
name = "nlb"
subnets = var.public_subnet_ids
}
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_alb" "default" {
load_balancer_type = "application"
name = "alb"
subnets = var.public_subnet_ids
}
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_lb" "only_bucket" {
load_balancer_type = "network"
name = "nlb"
subnets = var.public_subnet_ids
access_logs {
bucket = var.bucket_name
}
}
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_alb" "only_bucket" {
load_balancer_type = "application"
name = "alb"
subnets = var.public_subnet_ids
access_logs {
bucket = var.bucket_name
}
}
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_lb" "disabled" {
load_balancer_type = "network"
name = "nlb"
subnets = var.public_subnet_ids
access_logs {
bucket = var.bucket_name
enabled = false
}
}
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_alb" "disabled" {
load_balancer_type = "application"
name = "alb"
subnets = var.public_subnet_ids
access_logs {
bucket = var.bucket_name
enabled = false
}
}
# unknown
resource "aws_lb" "gateway" {
name = "glb"
load_balancer_type = "gateway"
subnet_mapping {
subnet_id = var.subnet_id
}
}
Short Link: https://sg.run/Yrye