Disabling logging of this component can lead to missing traceability in case of a security incident.

Logging allows operational and security teams to get detailed and real-time feedback on an information system’s events. The logging coverage enables them to quickly react to events, ranging from the most benign bugs to the most impactful security incidents, such as intrusions.

Apart from security detection, logging capabilities also directly influence future digital forensic analyses. For example, detailed logging will allow investigators to establish a timeline of the actions perpetrated by an attacker.

Ask Yourself Whether

• This component is essential for the information system infrastructure.
• This component is essential for mission-critical functions.
• Compliance policies require this component to be monitored.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Enable the logging capabilities of this component. Depending on the component, new permissions might be required by the logging storage components.
You should consult the official documentation to enable logging for the impacted components. For example, AWS Application Load Balancer Access Logs require an additional bucket policy.

Sensitive Code Example

For Amazon S3 access requests:

resource "aws_s3_bucket" "example" { # Sensitive
  bucket = "example"
}

For Amazon API Gateway stages:

resource "aws_api_gateway_stage" "example" { # Sensitive
  xray_tracing_enabled = false # Sensitive
}

For Amazon MSK Broker logs:

resource "aws_msk_cluster" "example" {
  cluster_name           = "example"
  kafka_version          = "2.7.1"
  number_of_broker_nodes = 3

  logging_info {
    broker_logs { # Sensitive
      firehose {
        enabled = false
      }
      s3 {
        enabled = false
      }
    }
  }
}

For Amazon MQ Brokers:

resource "aws_mq_broker" "example" {
  logs {  # Sensitive
    audit   = false
    general = false
  }
}

For Amazon Amazon DocumentDB:

resource "aws_docdb_cluster" "example" { # Sensitive
  cluster_identifier = "example"
}

For Azure App Services:

resource "azurerm_app_service" "example" {
  logs {
    application_logs {
      file_system_level = "Off" # Sensitive
      azure_blob_storage {
        level = "Off"           # Sensitive
      }
    }
  }
}

For GCP VPC Subnetwork:

resource "google_compute_subnetwork" "example" { # Sensitive
  name          = "example"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.example.id
}

For GCP SQL Database Instance:

resource "google_sql_database_instance" "example" {
  name = "example"

  settings { # Sensitive
    tier = "db-f1-micro"
    ip_configuration {
      require_ssl  = true
      ipv4_enabled = true
    }
  }
}

For GCP Kubernetes Engine (GKE) cluster:

resource "google_container_cluster" "example" {
  name               = "example"
  logging_service    = "none" # Sensitive
}

Compliant Solution

For Amazon S3 access requests:

resource "aws_s3_bucket" "example-logs" {
  bucket = "example_logstorage"
  acl    = "log-delivery-write"
}

resource "aws_s3_bucket" "example" {
  bucket = "example"

  logging { # AWS provider <= 3
      target_bucket = aws_s3_bucket.example-logs.id
      target_prefix = "log/example"
  }
}

resource "aws_s3_bucket_logging" "example" { # AWS provider >= 4
  bucket = aws_s3_bucket.example.id

  target_bucket = aws_s3_bucket.example-logs.id
  target_prefix = "log/example"
}

For Amazon API Gateway stages:

resource "aws_api_gateway_stage" "example" {
  xray_tracing_enabled = true

  access_log_settings {
    destination_arn = "arn:aws:logs:eu-west-1:123456789:example"
    format = "..."
  }
}

For Amazon MSK Broker logs:

resource "aws_msk_cluster" "example" {
  cluster_name           = "example"
  kafka_version          = "2.7.1"
  number_of_broker_nodes = 3

  logging_info {
    broker_logs {
      firehose   {
        enabled = false
      }
      s3 {
        enabled = true
        bucket  = "example"
        prefix  = "log/msk-"
      }
    }
  }
}

For Amazon MQ Brokers, enable audit or general:

resource "aws_mq_broker" "example" {
  logs {
    audit   = true
    general = true
  }
}

For Amazon Amazon DocumentDB:

resource "aws_docdb_cluster" "example" {
  cluster_identifier              = "example"
  enabled_cloudwatch_logs_exports = ["audit"]
}

For Azure App Services:

resource "azurerm_app_service" "example" {
 logs {
    http_logs {
      file_system {
        retention_in_days = 90
        retention_in_mb   = 100
      }
    }

 application_logs {
      file_system_level = "Error"
      azure_blob_storage {
        retention_in_days = 90
        level             = "Error"
      }
    }
  }
}

For GCP VPC Subnetwork:

resource "google_compute_subnetwork" "example" {
  name          = "example"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.example.id

  log_config {
    aggregation_interval = "INTERVAL_10_MIN"
    flow_sampling        = 0.5
    metadata             = "INCLUDE_ALL_METADATA"
  }
}

For GCP SQL Database Instance:

resource "google_sql_database_instance" "example" {
  name             = "example"

  settings {
    ip_configuration {
      require_ssl  = true
      ipv4_enabled = true
    }
    database_flags {
      name  = "log_connections"
      value = "on"
    }
    database_flags {
      name  = "log_disconnections"
      value = "on"
    }
    database_flags {
      name  = "log_checkpoints"
      value = "on"
    }
    database_flags {
      name  = "log_lock_waits"
      value = "on"
    }
  }
}

For GCP Kubernetes Engine (GKE) cluster:

resource "google_container_cluster" "example" {
  name               = "example"
  logging_service    = "logging.googleapis.com/kubernetes"
}

See

• OWASP Top 10 2021 Category A9 - Security Logging and Monitoring Failures
• AWS Documentation - Logging requests using server access logging
• MITRE, CWE-778 - Insufficient Logging
• OWASP Top 10 2017 Category A10 - Insufficient Logging & Monitoring