Skip to main content

Traceability Loss - AWS

Description

Some EC2, ELB or S3 instances do not set the logging property, which avoid the log files to be created. These files are useful to identify and trace malicious actions or anomalous behaviours. Alternatively, the log files do not have enough detail level.

Impact

Perform harmful actions without raising an alert.

Recommendation

Set the logging property in all the EC2, ELB and S3 instances.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 3.1
    • Temporal: 2.8
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The resource has the logging property correctly configured

Resources:
LoadBalancer1:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AccessLoggingPolicy:
Enabled: true
S3BucketName: bkname
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '443'
Protocol: HTTPS

The resource has monitoring enabled

resource "aws_instance" "foo" {
monitoring = true
instance_type = "t2.micro"
disable_api_termination = true
associate_public_ip_address = false
security_groups = ["test"]
iam_instance_profile = "ami-005e54dee72cc1d00"

network_interface {
network_interface_id = aws_network_interface.foo.id
device_index = 0
}
credit_specification {
cpu_credits = "unlimited"
}
}

The resource has multiregion property enabled

resource "aws_cloudtrail" "foobar" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.foo.id
s3_key_prefix = "prefix"
include_global_service_events = false
is_multi_region_trail = true
}

Non compliant code

The resource does not have the logging property set

Resources:
LoadBalancer1:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AccessLoggingPolicy:
Enabled: false
S3BucketName: bkname
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '443'
Protocol: HTTPS

The resource has monitoring disabled

resource "aws_instance" "foo" {
monitoring = false
instance_type = "t2.micro"
disable_api_termination = true
associate_public_ip_address = false
security_groups = ["test"]
iam_instance_profile = "ami-005e54dee72cc1d00"

network_interface {
network_interface_id = aws_network_interface.foo.id
device_index = 0
}
credit_specification {
cpu_credits = "unlimited"
}
}

The resource does not have multiregion property enabled

resource "aws_cloudtrail" "foobar" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.foo.id
s3_key_prefix = "prefix"
include_global_service_events = false
is_multi_region_trail = false
}

Using the AWS CLI, the following command checks if an AWS S3 Server Access Logging feature is enabled

$ aws s3api get-bucket-logging
--bucket {bucket_name}

If the command does not return any output, the access logging feature is not currently enabled for the selected bucket.

Requirements