Severity Framework
Snyk CCSS
Rule category
Logging / Configuration
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CIS-Controls
HIPAA
ISO-27001
NIST-800-53
SOC-2
- Snyk ID SNYK-CC-00113
- credit Snyk Research Team
Description
Access logging should be enabled in order to analyze statistics, diagnose issues, and retain data for regulatory or legal purposes.
How to fix?
Configure an access_logs block with the enabled attribute set to true.
Example Configuration
# aws_elb example
resource "aws_elb" "tr_test_elb" {
name = "terraform-test-elb"
availability_zones = ["us-east-1a"]
access_logs {
bucket = "${aws_s3_bucket.elb_test_bucket.id}"
interval = 60
enabled = true
}
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
health_check {
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 3
target = "HTTP:8000/"
interval = 30
}
cross_zone_load_balancing = true
idle_timeout = 400
connection_draining = true
connection_draining_timeout = 400
tags = {
Name = "foobar-terraform-elb"
}
}
# aws_lb example
resource "aws_lb" "tr_test_lb_network_1" {
name = "lb"
internal = true
load_balancer_type = "network"
subnets = ["${aws_subnet.subnet1.id}", "${aws_subnet.subnet2.id}"]
access_logs {
bucket = "${aws_s3_bucket.elb_test_bucket.id}"
enabled = true
}
}