Disabling or omitting logging for cloud resources prevents operational and security teams from detecting and investigating security incidents.

Why is this an issue?

Logging provides operational and security teams with a real-time feed of events from the information system. When logging is disabled or not configured for a cloud resource, security incidents can go undetected and leave no forensic trail for investigators. This rule raises an issue when a cloud resource that is essential to the infrastructure — such as a storage bucket, database, load balancer, or API gateway — has logging explicitly disabled or omitted.

What is the potential impact?

Without logs, security teams lose the ability to detect and respond to intrusions in real time. In the event of an incident, investigators cannot reconstruct a timeline of attacker activity, making it impossible to determine the scope of a breach, identify compromised data, or attribute actions to a specific actor.

How to fix it in AWS

Code examples

The following code is vulnerable because logging is not enabled for the resource, which prevents security and operational teams from detecting and investigating incidents.

Noncompliant code example

For Amazon S3 access requests:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Noncompliant
    Properties:
      BucketName: "mynoncompliantbucket"

For Amazon API Gateway stages:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Prod: # Noncompliant
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      TracingEnabled: false # Noncompliant

Compliant solution

For Amazon S3 access requests:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "mycompliantbucket"
      LoggingConfiguration:
        DestinationBucketName: !Ref S3LoggingBucket
        LogFilePrefix: testing-logs
  S3LoggingBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "mycompliantloggingbucket"
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref S3LoggingBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - 's3:PutObject'
            Effect: Allow
            Principal:
              Service: logging.s3.amazonaws.com
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3LoggingBucket
                - /*
            Condition:
              ArnLike:
                'aws:SourceArn': !GetAtt
                  - S3Bucket
                  - Arn
              StringEquals:
                'aws:SourceAccount': !Sub '${AWS::AccountId}'

For Amazon API Gateway stages:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      TracingEnabled: true
      AccessLogSetting:
        DestinationArn: "arn:aws:logs:eu-west-1:123456789:test"
        Format: "..."

Resources

Documentation

• AWS Documentation - Logging requests using server access logging
• Amazon S3
• Amazon API Gateway
• Amazon Neptune
• Amazon MSK
• Amazon DocDB
• Amazon MQ
• Amazon Redshift
• Amazon OpenSearch
• Amazon CloudFront
• Amazon Elastic Load Balancing

Standards

• CWE - CWE-778 - Insufficient Logging