Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Logging/ Configuration
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-ArchitectedCIS-ControlsHIPAAISO-27001NIST-800-53SOC-2
- Snyk IDSNYK-CC-00113
- creditSnyk Research Team
Description
Access logging should be enabled in order to analyze statistics, diagnose issues, and retain data for regulatory or legal purposes.
How to fix?
Configure an access_logs block with the enabled attribute set to true.
Example Configuration
# aws_elb example
resource "aws_elb" "tr_test_elb" {
name = "terraform-test-elb"
availability_zones = ["us-east-1a"]
access_logs {
bucket = "${aws_s3_bucket.elb_test_bucket.id}"
interval = 60
enabled = true
}
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
health_check {
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 3
target = "HTTP:8000/"
interval = 30
}
cross_zone_load_balancing = true
idle_timeout = 400
connection_draining = true
connection_draining_timeout = 400
tags = {
Name = "foobar-terraform-elb"
}
}
# aws_lb example
resource "aws_lb" "tr_test_lb_network_1" {
name = "lb"
internal = true
load_balancer_type = "network"
subnets = ["${aws_subnet.subnet1.id}", "${aws_subnet.subnet2.id}"]
access_logs {
bucket = "${aws_s3_bucket.elb_test_bucket.id}"
enabled = true
}
}