Disabling logging of this component can lead to missing traceability in case of a security incident.

Logging allows operational and security teams to get detailed and real-time feedback on an information system’s events. The logging coverage enables them to quickly react to events, ranging from the most benign bugs to the most impactful security incidents, such as intrusions.

Apart from security detection, logging capabilities also directly influence future digital forensic analyses. For example, detailed logging will allow investigators to establish a timeline of the actions perpetrated by an attacker.

Ask Yourself Whether

• This component is essential for the information system infrastructure.
• This component is essential for mission-critical functions.
• Compliance policies require this component to be monitored.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Enable the logging capabilities of this component. Depending on the component, new permissions might be required by the logging storage components.
You should consult the official documentation to enable logging for the impacted components. For example, AWS Application Load Balancer Access Logs require an additional bucket policy.

Sensitive Code Example

For Amazon S3 access requests:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Sensitive
    Properties:
      BucketName: "mynoncompliantbucket"

For Amazon API Gateway stages:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Prod: # Sensitive
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      TracingEnabled: false # Sensitive

For Amazon Neptune clusters:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Cluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      EnableCloudwatchLogsExports: []  # Sensitive

For Amazon MSK broker logs:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  SensitiveCluster:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: Sensitive Cluster
      LoggingInfo:
        BrokerLogs: # Sensitive
          CloudWatchLogs:
            Enabled: false
            LogGroup: CWLG
          Firehose:
            DeliveryStream: DS
            Enabled: false

For Amazon DocDB:

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  DocDBOmittingLogs: # Sensitive
    Type: "AWS::DocDB::DBCluster"
    Properties:
      DBClusterIdentifier : "DB Without Logs"

For Amazon MQ:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Broker:
    Type: AWS::AmazonMQ::Broker
    Properties:
      Logs:  # Sensitive
        Audit: false
        General: false

For Amazon Redshift:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ClusterOmittingLogging: # Sensitive
    Type: "AWS::Redshift::Cluster"
    Properties:
      DBName: "Redshift Warehouse Cluster"

For Amazon OpenSearch service or Amazon Elasticsearch service:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  OpenSearchServiceDomain:
    Type: 'AWS::OpenSearchService::Domain'
    Properties:
      LogPublishingOptions: # Sensitive
        ES_APPLICATION_LOGS:
          CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-application-logs'
          Enabled: true
        INDEX_SLOW_LOGS:
          CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-index-slow-logs'
          Enabled: true

For Amazon CloudFront distributions:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  CloudFrontDistribution: # Sensitive
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultRootObject: "index.html"

For Amazon Elastic Load Balancing:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  LoadBalancer:
      Type: AWS::ElasticLoadBalancing::LoadBalancer
      Properties:
        AccessLoggingPolicy:
          Enabled: false # Sensitive

For Amazon Load Balancing (v2):

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ApplicationLoadBalancer:
   Type: AWS::ElasticLoadBalancingV2::LoadBalancer
   Properties:
     Name: CompliantLoadBalancer
     LoadBalancerAttributes:
       - Key: "access_logs.s3.enabled"
         Value: false # Sensitive

Compliant Solution

For Amazon S3 access requests:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3BucketLogs:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "mycompliantloggingbucket"
      AccessControl: LogDeliveryWrite

  S3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "mycompliantbucket"
      LoggingConfiguration:
        DestinationBucketName: !Ref S3BucketLogs
        LogFilePrefix: testing-logs

For Amazon API Gateway stages:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      TracingEnabled: true
      AccessLogSetting:
        DestinationArn: "arn:aws:logs:eu-west-1:123456789:test"
        Format: "..."

For Amazon Neptune clusters:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Cluster:
    Type: AWS::Neptune::DBCluster
    Properties:
      EnableCloudwatchLogsExports: ["audit"]

For Amazon MSK broker logs:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  SensitiveCluster:
    Type: 'AWS::MSK::Cluster'
    Properties:
      ClusterName: Sensitive Cluster
      LoggingInfo:
        BrokerLogs:
          Firehose:
            DeliveryStream: DS
            Enabled: true
          S3:
            Bucket: Broker Logs
            Enabled: true
            Prefix: "logs/msk-brokers-"

For Amazon DocDB:

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  DocDBWithLogs:
    Type: "AWS::DocDB::DBCluster"
    Properties:
      DBClusterIdentifier : "DB With Logs"
      EnableCloudwatchLogsExports:
         - audit

For Amazon MQ enable Audit or General:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Broker:
    Type: AWS::AmazonMQ::Broker
    Properties:
      Logs:
        Audit: true
        General: true

For Amazon Redshift:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  CompliantCluster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      DBName: "Redshift Warehouse Cluster"
      LoggingProperties:
        BucketName: "Infra Logs"
        S3KeyPrefix: "log/redshift-"

For Amazon OpenSearch service, or Amazon Elasticsearch service:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  OpenSearchServiceDomain:
    Type: 'AWS::OpenSearchService::Domain'
    Properties:
      LogPublishingOptions:
        AUDIT_LOGS:
          CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-audit-logs'
          Enabled: true

For Amazon CloudFront distributions:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultRootObject: "index.html"
        Logging:
          Bucket: "mycompliantbucket"
          Prefix: "log/cloudfront-"

For Amazon Elastic Load Balancing:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  LoadBalancer:
      Type: AWS::ElasticLoadBalancing::LoadBalancer
      Properties:
        AccessLoggingPolicy:
          Enabled: true
          S3BucketName: mycompliantbucket
          S3BucketPrefix: "log/loadbalancer-"

For Amazon Load Balancing (v2):

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ApplicationLoadBalancer:
   Type: AWS::ElasticLoadBalancingV2::LoadBalancer
   Properties:
     Name: CompliantLoadBalancer
     LoadBalancerAttributes:
       - Key: "access_logs.s3.enabled"
         Value: true
       - Key: "access_logs.s3.bucket"
         Value: "mycompliantbucket"
       - Key: "access_logs.s3.prefix"
         Value: "log/elbv2-"

See

• OWASP Top 10 2021 Category A9 - Security Logging and Monitoring Failures
• AWS Documentation - Logging requests using server access logging
• MITRE, CWE-778 - Insufficient Logging
• OWASP Top 10 2017 Category A10 - Insufficient Logging & Monitoring