Disabling logging of this component can lead to missing traceability in case of a security incident.
Logging allows operational and security teams to get detailed and real-time feedback on an information system’s events. The logging coverage enables them to quickly react to events, ranging from the most benign bugs to the most impactful security incidents, such as intrusions.
Apart from security detection, logging capabilities also directly influence future digital forensic analyses. For example, detailed logging will allow investigators to establish a timeline of the actions perpetrated by an attacker.
There is a risk if you answered yes to any of those questions.
Enable the logging capabilities of this component.
For Amazon S3 access requests:
resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive
bucket = "mynoncompliantbucketname"
}
For Amazon API Gateway stages:
resource "aws_api_gateway_stage" "api-v1" { # Sensitive
deployment_id = aws_api_gateway_deployment.example.id
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "v1-prod-api"
xray_tracing_enabled = false # Sensitive
}
For Amazon Neptune clusters:
resource "aws_neptune_cluster" "cluster" {
enable_cloudwatch_logs_exports = [] # Sensitive
}
For Amazon MSK broker logs:
resource "aws_msk_cluster" "sensitive_msk" {
cluster_name = "sensitive_msk"
logging_info {
broker_logs { # Sensitive
firehose {
enabled = false
}
s3 {
enabled = false
}
}
}
}
For Amazon MQ:
resource "aws_mq_broker" "broker" {
logs { # Sensitive
audit = false
general = false
}
}
For Amazon DocumentDB:
resource "aws_docdb_cluster" "docdb_omitting_logs" { # Sensitive
cluster_identifier = "DB Cluster Without Logs"
}
For Amazon Redshift:
resource "aws_redshift_cluster" "cluster" {
cluster_identifier = "redshift-cluster"
logging {
enable = false # Sensitive
}
}
For Amazon Global Accelerator:
resource "aws_globalaccelerator_accelerator" "accelerator" {
attributes {
flow_logs_enabled = false # Sensitive
flow_logs_s3_bucket = "example-bucket"
flow_logs_s3_prefix = "flow-logs/"
}
}
For Amazon OpenSearch service, or Amazon Elasticsearch service:
resource "aws_elasticsearch_domain" "domain" {
log_publishing_options {
cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:1234:log-group:es-audit-logs"
log_type = "AUDIT_LOGS"
enabled = false # Sensitive
}
}
For Amazon CloudFront distributions:
resource "aws_cloudfront_distribution" "cloudfront_distribution" { # Sensitive
default_root_object = "index.html"
}
For both Amazon Classic Load Balancing and Application Load Balancing:
resource "aws_lb" "load_balancer" {
access_logs {
enabled = false # Sensitive
bucket = "mycompliantbucket"
bucket_prefix = "log/lb-"
}
}
For GCP Cloud Storage service:
resource "google_storage_bucket" "example" { # Sensitive
name = "example"
location = "US"
}
For GCP Region Backend Service:
resource "google_compute_region_backend_service" "example" { # Sensitive
name = "example"
region = "us-central1"
health_checks = [google_compute_region_health_check.region.id]
connection_draining_timeout_sec = 10
session_affinity = "CLIENT_IP"
load_balancing_scheme = "EXTERNAL"
protocol = "HTTPS"
}
For GCP VPC Subnetwork:
resource "google_compute_subnetwork" "example" { # Sensitive
name = "example"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.custom-test.id
}
For GCP SQL Database Instance:
resource "google_sql_database_instance" "example" {
name = "example"
database_version = "POSTGRES_11"
region = "us-central1"
settings { # Sensitive
tier = "db-f1-micro"
ip_configuration {
require_ssl = true
ipv4_enabled = true
}
}
}
For GCP Kubernetes Engine (GKE) cluster:
resource "google_container_cluster" "example" {
name = "example"
location = "us-central1-a"
initial_node_count = 3
logging_service = "none" # Sensitive
}
For Amazon S3 access requests:
resource "aws_s3_bucket" "myloggingbucket" {
bucket = "myloggingbucketname"
acl = "log-delivery-write"
}
resource "aws_s3_bucket" "mycompliantbucket" {
bucket = "mycompliantbucketname"
logging {
target_bucket = "myloggingbucketname"
target_prefix = "log/mycompliantbucket"
}
}
For Amazon API Gateway stages:
resource "aws_api_gateway_stage" "api-v1" {
deployment_id = aws_api_gateway_deployment.example.id
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "v1-prod-api"
xray_tracing_enabled = true
access_log_settings {
destination_arn = "arn:aws:logs:eu-west-1:123456789:test"
format = "..."
}
}
For Amazon Neptune clusters:
resource "aws_neptune_cluster" "cluster" {
enable_cloudwatch_logs_exports = ["audit"]
}
For Amazon MSK broker logs:
resource "aws_msk_cluster" "sensitive_msk" {
cluster_name = "sensitive_msk"
logging_info {
broker_logs {
firehose {
enabled = false
}
s3 {
enabled = true
bucket = "myloggingbucketname"
prefix = "log/msk-"
}
}
}
}
For Amazon MQ enable audit or general:
resource "aws_mq_broker" "broker" {
logs {
audit = true
general = true
}
}
For Amazon DocumentDB:
resource "aws_docdb_cluster" "docdb_omitting_logs" {
cluster_identifier = "DB Cluster With Logs"
enabled_cloudwatch_logs_exports = ["audit"]
}
For Amazon Redshift:
resource "aws_redshift_cluster" "cluster" {
cluster_identifier = "compliant-redshift-cluster"
logging {
enable = true
bucket_name = "infra_logs"
s3_key_prefix = "log/redshift-"
}
}
For Amazon Global Accelerator:
resource "aws_globalaccelerator_accelerator" "accelerator" {
attributes {
flow_logs_enabled = true
flow_logs_s3_bucket = "example-bucket"
flow_logs_s3_prefix = "flow-logs/"
}
}
For Amazon OpenSearch service, or Amazon Elasticsearch service:
resource "aws_elasticsearch_domain" "domain" {
log_publishing_options {
cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:1234:log-group:es-audit-logs"
log_type = "AUDIT_LOGS"
enabled = true
}
}
For Amazon CloudFront distributions:
resource "aws_cloudfront_distribution" "cloudfront_distribution" {
default_root_object = "index.html"
logging_config {
bucket = "mycompliantbucketname"
prefix = "log/cloudfront-"
}
}
For both Amazon Classic Load Balancing and Application Load Balancing:
resource "aws_lb" "load_balancer" {
access_logs {
enabled = true
bucket = "mycompliantbucket"
bucket_prefix = "log/lb-"
}
}
For GCP Cloud Storage service:
resource "google_storage_bucket" "example" {
name = "example"
location = "US"
logging {
log_bucket = google_storage_bucket.bucket-log.name
}
}
For GCP Region Backend Service:
resource "google_compute_region_backend_service" "example" {
name = "example"
region = "us-central1"
health_checks = [google_compute_region_health_check.region.id]
connection_draining_timeout_sec = 10
session_affinity = "CLIENT_IP"
load_balancing_scheme = "EXTERNAL"
protocol = "HTTPS"
log_config {
enable = true
}
}
For GCP VPC Subnetwork:
resource "google_compute_subnetwork" "example" {
name = "example"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.custom-test.id
log_config {
aggregation_interval = "INTERVAL_10_MIN"
flow_sampling = 0.5
metadata = "INCLUDE_ALL_METADATA"
}
}
For GCP SQL Database Instance:
resource "google_sql_database_instance" "example" {
name = "example"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
require_ssl = true
ipv4_enabled = true
}
database_flags {
name = "log_connections"
value = "on"
}
database_flags {
name = "log_disconnections"
value = "on"
}
database_flags {
name = "log_checkpoints"
value = "on"
}
database_flags {
name = "log_lock_waits"
value = "on"
}
}
}
For GCP Kubernetes Engine (GKE) cluster:
resource "google_container_cluster" "example" {
name = "example"
location = "us-central1-a"
initial_node_count = 3
logging_service = "logging.googleapis.com/kubernetes"
}