Disabling or omitting logging for cloud resources prevents operational and security teams from detecting and investigating security incidents.

Why is this an issue?

Logging provides operational and security teams with a real-time feed of events from the information system. When logging is disabled or not configured for a cloud resource, security incidents can go undetected and leave no forensic trail for investigators. This rule raises an issue when a cloud resource that is essential to the infrastructure — such as a storage bucket, database, load balancer, or API gateway — has logging explicitly disabled or omitted.

What is the potential impact?

Without logs, security teams lose the ability to detect and respond to intrusions in real time. In the event of an incident, investigators cannot reconstruct a timeline of attacker activity, making it impossible to determine the scope of a breach, identify compromised data, or attribute actions to a specific actor.

How to fix it in AWS

Code examples

The following code is vulnerable because logging is not enabled for the resource, which prevents security and operational teams from detecting and investigating incidents.

Noncompliant code example

For Amazon S3 access requests:

resource "aws_s3_bucket" "example" { # Noncompliant
  bucket = "example"
}

For Amazon API Gateway stages:

resource "aws_api_gateway_stage" "example" { # Noncompliant
  xray_tracing_enabled = false # Noncompliant
}

Compliant solution

For Amazon S3 access requests:

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_logging" "example" {
  bucket = aws_s3_bucket.example.id

  target_bucket = aws_s3_bucket.logs.id
  target_prefix = "testing-logs"
}

# Set up a logging bucket
resource "aws_s3_bucket" "logs" {
  bucket = "example_logstorage"
}

data "aws_iam_policy_document" "logs" {
  statement {
      sid    = "s3-log-delivery"
      effect = "Allow"

      principals {
        type        = "Service"
        identifiers = ["logging.s3.amazonaws.com"]
      }

      actions = ["s3:PutObject"]

      resources = [
        "${aws_s3_bucket.logs.arn}/*",
      ]
    }
}

resource "aws_s3_bucket_policy" "logs" {
  bucket = aws_s3_bucket.logs.id
  policy = data.aws_iam_policy_document.logs.json
}

For Amazon API Gateway stages:

resource "aws_api_gateway_stage" "example" {
  xray_tracing_enabled = true

  access_log_settings {
    destination_arn = "arn:aws:logs:eu-west-1:123456789:example"
    format = "..."
  }
}

How to fix it in Azure

Code examples

The following code is vulnerable because logging is not enabled for the resource, which prevents security and operational teams from detecting and investigating incidents.

For Azure App Services:

Noncompliant code example

resource "azurerm_app_service" "example" {
  logs {
    application_logs {
      file_system_level = "Off" # Noncompliant
      azure_blob_storage {
        level = "Off"           # Noncompliant
      }
    }
  }
}

Compliant solution

resource "azurerm_app_service" "example" {
 logs {
    http_logs {
      file_system {
        retention_in_days = 90
        retention_in_mb   = 100
      }
    }

 application_logs {
      file_system_level = "Error"
      azure_blob_storage {
        retention_in_days = 90
        level             = "Error"
      }
    }
  }
}

How to fix it in GCP

Code examples

The following code is vulnerable because logging is not enabled for the resource, which prevents security and operational teams from detecting and investigating incidents.

Noncompliant code example

For GCP VPC Subnetwork:

resource "google_compute_subnetwork" "example" { # Noncompliant
  name          = "example"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.example.id
}

For GCP SQL Database Instance:

resource "google_sql_database_instance" "example" {
  name = "example"

  settings { # Noncompliant
    tier = "db-f1-micro"
    ip_configuration {
      require_ssl  = true
      ipv4_enabled = true
    }
  }
}

Compliant solution

For GCP VPC Subnetwork:

resource "google_compute_subnetwork" "example" {
  name          = "example"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.example.id

  log_config {
    aggregation_interval = "INTERVAL_10_MIN"
    flow_sampling        = 0.5
    metadata             = "INCLUDE_ALL_METADATA"
  }
}

For GCP SQL Database Instance:

resource "google_sql_database_instance" "example" {
  name             = "example"

  settings {
    ip_configuration {
      require_ssl  = true
      ipv4_enabled = true
    }
    database_flags {
      name  = "log_connections"
      value = "on"
    }
    database_flags {
      name  = "log_disconnections"
      value = "on"
    }
    database_flags {
      name  = "log_checkpoints"
      value = "on"
    }
    database_flags {
      name  = "log_lock_waits"
      value = "on"
    }
  }
}

Resources

Documentation

• AWS Documentation - Logging requests using server access logging
• Terraform Registry - aws_s3_bucket
• Terraform Registry - aws_api_gateway_stage
• Terraform Registry - aws_msk_cluster
• Terraform Registry - aws_mq_broker
• Terraform Registry - aws_docdb_cluster
• Terraform Registry - azurerm_app_service
• Terraform Registry - google_compute_subnetwork
• Terraform Registry - google_sql_database_instance
• Terraform Registry - google_container_cluster

Standards

• CWE - CWE-778 - Insufficient Logging