terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

ELB has no logging. Missing logs can cause missing important event information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: aws-elb-access-logs-not-enabled
    patterns:
      - pattern-either:
          - pattern: |
              resource "aws_lb" $ANYTHING {
                ...
              }
          - pattern: |
              resource "aws_alb" $ANYTHING {
                ...
              }
      - pattern-not-inside: |
          resource $ANYLB $ANYTHING {
            ...
            access_logs {
              ...
              enabled = true
              ...
            }
            ...
          }
      - pattern-not-inside: |
          resource $ANYLB $ANYTHING {
            ...
            subnet_mapping {
              ...
            }
            ...
          } 
    message: ELB has no logging. Missing logs can cause missing important event
      information.
    languages:
      - hcl
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      technology:
        - aws
        - terraform
      category: security
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

aws-elb-access-logs-not-enabled.tf

# pass

resource "aws_lb" "enabled" {
  load_balancer_type = "network"
  name               = "nlb"
  subnets            = var.public_subnet_ids

  access_logs {
    bucket  = var.bucket_name
    enabled = true
  }
}

resource "aws_alb" "enabled" {
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  access_logs {
    bucket  = var.bucket_name
    enabled = true
  }
}

# failure
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_lb" "default" {
  load_balancer_type = "network"
  name               = "nlb"
  subnets            = var.public_subnet_ids
}
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_alb" "default" {
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids
}
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_lb" "only_bucket" {
  load_balancer_type = "network"
  name               = "nlb"
  subnets            = var.public_subnet_ids

  access_logs {
    bucket = var.bucket_name
  }
}
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_alb" "only_bucket" {
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  access_logs {
    bucket = var.bucket_name
  }
}
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_lb" "disabled" {
  load_balancer_type = "network"
  name               = "nlb"
  subnets            = var.public_subnet_ids

  access_logs {
    bucket  = var.bucket_name
    enabled = false
  }
}
# ruleid: aws-elb-access-logs-not-enabled
resource "aws_alb" "disabled" {
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  access_logs {
    bucket  = var.bucket_name
    enabled = false
  }
}

# unknown

resource "aws_lb" "gateway" {
  name = "glb"
  load_balancer_type = "gateway"

  subnet_mapping {
    subnet_id = var.subnet_id
  }
}