Traceability Loss - AWS
Need
Enhancement of traceability and logging in AWS instances
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws-sdk for interacting with AWS services and resources
Description
Non compliant code
resource "aws_instance" "example" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
tags = {
Name = "example-instance"
}
}
resource "aws_elb" "example" {
name = "example-elb"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
}
resource "aws_s3_bucket" "bucket" {
bucket = "bucket"
acl = "private"
}
In the above Terraform code, we are creating an AWS EC2 instance, an Elastic Load Balancer (ELB) and an S3 bucket. However, there is no logging enabled for any of these resources.
-
EC2 Instance: The EC2 instance is created using the
aws_instanceresource. Theamiandinstance_typeproperties are set, and a tag is assigned to the instance. However, there is no logging property set for this instance, which means that no log files are being created for this EC2 instance. -
ELB: The ELB is created using the
aws_elbresource. It is set to listen on port 80, and is associated with three availability zones. However, like the EC2 instance, there is no logging property set for this ELB. -
S3 Bucket: The S3 bucket is created using the
aws_s3_bucketresource. The bucket is set to private, but again, there is no logging enabled for this bucket.
The absence of logging in these resources means that it is impossible to identify and trace malicious actions or anomalous behaviors. In addition, even if logging was enabled, the log files do not have a detailed level of information, which limits their usefulness.
Steps
- Set the logging property for the EC2 instances to enable logging of activities and events.
- Configure the ELB to enable access logs, which will capture information about incoming requests.
- Enable server access logging for the S3 bucket to track access to the bucket and its objects.
Compliant code
resource "aws_instance" "example" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
tags = {
Name = "example-instance"
}
monitoring = true
}
resource "aws_elb" "example" {
name = "example-elb"
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
access_logs {
bucket = "my-access-logs-bucket"
enabled = true
}
}
resource "aws_s3_bucket" "bucket" {
bucket = "bucket"
acl = "private"
logging {
target_bucket = "my-log-bucket"
target_prefix = "log/"
}
}
The above code fixes the vulnerability by enabling logging for EC2, ELB, and S3 instances.
-
For the EC2 instance, the
monitoringproperty is set totrue. This enables detailed monitoring, which provides additional instance metrics and logs. -
For the ELB instance, the
access_logsblock is added. This block enables access logs for the load balancer and specifies the S3 bucket where the logs will be stored. -
For the S3 bucket, the
loggingblock is added. This block enables server access logging for the bucket. The logs are stored in the specified target bucket with the specified prefix.