Disabling logging of this component can lead to missing traceability in case of a security incident.

Logging allows operational and security teams to get detailed and real-time feedback on an information system’s events. The logging coverage enables them to quickly react to events, ranging from the most benign bugs to the most impactful security incidents, such as intrusions.

Apart from security detection, logging capabilities also directly influence future digital forensic analyses. For example, detailed logging will allow investigators to establish a timeline of the actions perpetrated by an attacker.

Ask Yourself Whether

• This component is essential for the information system infrastructure.
• This component is essential for mission-critical functions.
• Compliance policies require this component to be monitored.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Enable the logging capabilities of this component.

Sensitive Code Example

For Amazon S3 access requests:

resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive
  bucket = "mynoncompliantbucketname"
}

For Amazon API Gateway stages:

resource "aws_api_gateway_stage" "api-v1" { # Sensitive
  deployment_id = aws_api_gateway_deployment.example.id
  rest_api_id   = aws_api_gateway_rest_api.example.id
  stage_name    = "v1-prod-api"
  xray_tracing_enabled = false # Sensitive
}

For Amazon Neptune clusters:

resource "aws_neptune_cluster" "cluster" {
  enable_cloudwatch_logs_exports = []  # Sensitive
}

For Amazon MSK broker logs:

resource "aws_msk_cluster" "sensitive_msk" {
  cluster_name = "sensitive_msk"
  logging_info {
    broker_logs { # Sensitive
      firehose {
        enabled = false
      }
      s3 {
        enabled = false
      }
    }
  }
}

For Amazon MQ:

resource "aws_mq_broker" "broker" {
  logs {  # Sensitive
    audit = false
    general = false
  }
}

For Amazon DocumentDB:

resource "aws_docdb_cluster" "docdb_omitting_logs" { # Sensitive
  cluster_identifier = "DB Cluster Without Logs"
}

For Amazon Redshift:

resource "aws_redshift_cluster" "cluster" {
  cluster_identifier = "redshift-cluster"

  logging {
    enable = false # Sensitive
  }
}

For Amazon Global Accelerator:

resource "aws_globalaccelerator_accelerator" "accelerator" {
  attributes {
    flow_logs_enabled   = false  # Sensitive
    flow_logs_s3_bucket = "example-bucket"
    flow_logs_s3_prefix = "flow-logs/"
  }
}

For Amazon OpenSearch service, or Amazon Elasticsearch service:

resource "aws_elasticsearch_domain" "domain" {
  log_publishing_options {
    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:1234:log-group:es-audit-logs"
    log_type = "AUDIT_LOGS"
    enabled = false # Sensitive
  }
}

For Amazon CloudFront distributions:

resource "aws_cloudfront_distribution" "cloudfront_distribution" { # Sensitive
  default_root_object = "index.html"
}

For both Amazon Classic Load Balancing and Application Load Balancing:

resource "aws_lb" "load_balancer" {
  access_logs {
    enabled = false # Sensitive
    bucket = "mycompliantbucket"
    bucket_prefix = "log/lb-"
  }
}

Compliant Solution

For Amazon S3 access requests:

resource "aws_s3_bucket" "myloggingbucket" {
  bucket = "myloggingbucketname"
  acl    = "log-delivery-write"
}

resource "aws_s3_bucket" "mycompliantbucket" {
  bucket = "mycompliantbucketname"

  logging {
      target_bucket = "myloggingbucketname"
      target_prefix = "log/mycompliantbucket"
  }
}

For Amazon API Gateway stages:

resource "aws_api_gateway_stage" "api-v1" {
  deployment_id = aws_api_gateway_deployment.example.id
  rest_api_id   = aws_api_gateway_rest_api.example.id
  stage_name    = "v1-prod-api"
  xray_tracing_enabled = true
  access_log_settings {
    destination_arn = "arn:aws:logs:eu-west-1:123456789:test"
    format = "..."
  }
}

For Amazon Neptune clusters:

resource "aws_neptune_cluster" "cluster" {
  enable_cloudwatch_logs_exports = ["audit"]
}

For Amazon MSK broker logs:

resource "aws_msk_cluster" "sensitive_msk" {
  cluster_name = "sensitive_msk"
  logging_info {
    broker_logs {
      firehose {
        enabled = false
      }
      s3 {
        enabled = true
        bucket  = "myloggingbucketname"
        prefix  = "log/msk-"
      }
    }
  }
}

For Amazon MQ enable audit or general:

resource "aws_mq_broker" "broker" {
  logs {
    audit = true
    general = true
  }
}

For Amazon DocumentDB:

resource "aws_docdb_cluster" "docdb_omitting_logs" {
  cluster_identifier = "DB Cluster With Logs"
  enabled_cloudwatch_logs_exports = ["audit"]
}

For Amazon Redshift:

resource "aws_redshift_cluster" "cluster" {
  cluster_identifier = "compliant-redshift-cluster"
  logging {
    enable           = true
    bucket_name      = "infra_logs"
    s3_key_prefix    = "log/redshift-"
  }
}

For Amazon Global Accelerator:

resource "aws_globalaccelerator_accelerator" "accelerator" {
  attributes {
    flow_logs_enabled   = true
    flow_logs_s3_bucket = "example-bucket"
    flow_logs_s3_prefix = "flow-logs/"
  }
}

For Amazon OpenSearch service, or Amazon Elasticsearch service:

resource "aws_elasticsearch_domain" "domain" {
  log_publishing_options {
    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:1234:log-group:es-audit-logs"
    log_type = "AUDIT_LOGS"
    enabled = true
  }
}

For Amazon CloudFront distributions:

resource "aws_cloudfront_distribution" "cloudfront_distribution" {
  default_root_object = "index.html"
  logging_config {
    bucket          = "mycompliantbucketname"
    prefix          = "log/cloudfront-"
  }
}

For both Amazon Classic Load Balancing and Application Load Balancing:

resource "aws_lb" "load_balancer" {
  access_logs {
    enabled = true
    bucket = "mycompliantbucket"
    bucket_prefix = "log/lb-"
  }
}

See

• OWASP Top 10 2021 Category A9 - Security Logging and Monitoring Failures
• AWS Documentation - Logging requests using server access logging
• MITRE, CWE-778 - Insufficient Logging
• OWASP Top 10 2017 Category A10 - Insufficient Logging and Monitoring