Enable ALB Elastic Load Balancer v2 (ELBv2) access log

ELBv2 ALBs should have have access log enabled to capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.

Risk Level: Low
Cloud Entity: Application Load Balancer
CloudGuard Rule ID: D9.AWS.LOG.15
Category: Networking & Content Delivery


ApplicationLoadBalancer should not have attributes contain [ key='access_logs.s3.enabled' and value='false' ]


From Portal

  1. Sign into the AWS console
  2. In the console, select the specific region
  3. Navigate to EC2 dashboard
  4. Click 'Load Balancers' (Left Panel)
  5. Select the reported ELB
  6. Click 'Actions' drop-down
  7. Click 'Edit attributes'
  8. In the 'Edit load balancer attributes' popup box, select 'Enable' for 'Access logs' and configure S3 location where you want to store ELB logs

From TF

resource "aws_lb" "test" {
	name = "test_lb"
	+ access_logs {
		+   bucket  = aws_s3_bucket
		+   prefix  = "test-lb"
		+   enabled = true
	+ }

From Command Line
To enable access logs for your load balancer:

aws elb modify-load-balancer-attributes --load-balancer-name LOAD_BALANCER_NAME --load-balancer-attributes file://my-json-file.json


  1. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-load-balancer-attributes.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb

Application Load Balancer

An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5