ELB application and classic load balancer logging should be enabled
Load balancer access logs are the primary record of every inbound connection to your application tier. Without them, you lose visibility into client IP addresses, TLS negotiation details, request latency breakdowns, and HTTP response codes at the edge. Incident response teams depend on these logs to reconstruct attack timelines, identify scanning behavior, and correlate anomalous traffic patterns with backend failures.
Access logs also feed capacity planning. Analyzing request distribution across targets, error rates by path, and latency percentiles over time lets you right-size target groups and catch misconfigurations before they reach users.
Retrofit consideration
Enabling logging on existing load balancers requires an S3 bucket with a bucket policy granting the ELB service principal s3:PutObject. The ELB service account ID varies by AWS region. Missing or incorrect bucket policies cause silent logging failures with no error surfaced on the load balancer itself.
Implementation
Choose the approach that matches how you manage Terraform.
Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.
module "alb" {
source = "soc2.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "pcidss.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "hipaa.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "gdpr.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "nist80053.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "nistcsf.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "fedrampmoderate.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "cisv80ig1.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "nist800171.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "cisacyberessentials.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "nydfs23.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "ffiec.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "acscessentialeight.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "acscism2023.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "cfrpart11.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "fedramplow.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "hipaasecurity2003.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "nistcsfv11.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "nist80053rev4.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
module "alb" {
source = "pcidssv321.compliance.tf/terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
enabled = true
}
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
}
If you use terraform-aws-modules/alb/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
internal = true
listeners = {
https = {
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
forward = {
target_group_key = "default"
}
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
access_logs = {
enabled = true
}
}
Use AWS provider resources directly. See docs for the resources involved: aws_lb.
resource "aws_lb" "this" {
internal = true
name = "pofix-abc123"
subnets = ["subnet-abc123", "subnet-def456"]
access_logs {
bucket = "pofix-logs-abc123"
enabled = true
}
}
What this control checks
For Application Load Balancers, the aws_lb resource must include an access_logs block with enabled = true and a non-empty bucket argument pointing to an S3 bucket name. An optional prefix argument controls the key prefix within the bucket. If enabled is omitted or set to false, the control fails.
For Classic Load Balancers, the aws_elb resource must include an access_logs block with enabled = true and a bucket argument. The bucket_prefix and interval arguments (5 or 60 minutes) are optional. If the access_logs block is missing entirely, or enabled is false, it fails.
The referenced S3 bucket must exist and its bucket policy must grant the regional Elastic Load Balancing account principal write access. This is typically handled by a separate aws_s3_bucket_policy resource. The control validates logging configuration on the load balancer itself, not whether the bucket policy is correctly set up.
Common pitfalls
S3 bucket policy missing ELB service principal
The S3 bucket must grant
s3:PutObjectto the ELB service account for your region (e.g.,127311923021for us-east-1) or thelogdelivery.elasticloadbalancing.amazonaws.comservice principal. Without this, the load balancer silently fails to deliver logs. No error appears on theaws_lboraws_elbresource. Useaws_s3_bucket_policywith the correct principal.access_logs block present but enabled defaults to false
Get the
enabledflag wrong and you'll have a fully configuredaccess_logsblock that does nothing. Onaws_lb, if you definebucketandprefixbut omitenabled = true, logging stays off. The default isfalse. Always setenabledexplicitly rather than assuming the block's presence is enough.Classic ELB inline access_logs deprecated patterns
Explicitly set
enabled = trueonaws_elb. Older configurations sometimes rely on the presence of theaccess_logsblock alone, but that is not sufficient in current Terraform usage. Without the flag set explicitly, you cannot confirm logging is actually active.Network Load Balancers excluded from this control
This control only covers ALBs and Classic LBs. NLBs also support access logging via
aws_lbwithload_balancer_type = "network", but they are not evaluated by this check. A separate control or custom rule is needed for NLB logging.SSE-S3 encryption required on logging bucket
Log delivery silently fails if the target bucket enforces KMS encryption and the load balancer type does not support it. ALB and NLB access logs support SSE-S3 (
AES256) but not SSE-KMS. Classic ELB has the same limitation. If your logging bucket policy requires KMS-encrypted uploads, delivery will break. Match the bucket encryption settings to what each ELB type actually supports.
Audit evidence
Config rule evaluation results showing COMPLIANT for all ALB and CLB resources against the elb-logging-enabled managed rule are the primary evidence. Console screenshots of the load balancer attributes tab, showing access logs enabled with a named S3 destination, provide supplementary confirmation. Auditors may pull a sample of log files from the S3 bucket directly to verify delivery, checking for recent timestamps and non-empty content.
CloudTrail ModifyLoadBalancerAttributes events show when logging was enabled and by whom, establishing a change history for both ALB (via the elbv2 API) and Classic ELB (via the elb API).
Framework-specific interpretation
SOC 2: CC7.2 expects monitoring of system components for anomalies. Access logs are the raw data source for that monitoring at the application entry point, covering unauthorized access attempts, traffic spikes, and availability issues.
PCI DSS v4.0: For load balancers routing payment traffic, Requirement 10 expects logging of security-relevant events including source, request, response, and timing. Access logs on those load balancers cover that requirement, and the log files in S3 are what examiners ask to see.
HIPAA Omnibus Rule 2013: 45 CFR 164.312(b) calls for audit controls that record and examine activity in systems handling ePHI. Access logs give you a record of every inbound request hitting those application tiers, which is exactly what the audit controls requirement asks to see.
GDPR: Article 32 expects technical measures that support breach detection and forensic investigation. Access logs help with both. They also contain IP addresses, which are personal data under GDPR, so retention policies and access controls on the logging bucket need to reflect data minimization requirements alongside the security objective.
NIST SP 800-53 Rev 5: AU-2, AU-3, and AU-12 all apply. ELB access logs produce records with the detail those controls require: client IP, request URI, response code, and latency. That coverage is sufficient to support after-the-fact investigation of security incidents at the network boundary.
NIST Cybersecurity Framework v2.0: ELB access logs feed directly into DE.CM monitoring for traffic entering through the load balancer. Request volumes, source IP distributions, and error rate trends are all captured, and that baseline also satisfies the ID.AM expectation of knowing what each load balancer asset is doing.
FedRAMP Moderate Baseline Rev 4: AU-2 and AU-3 require event logging with sufficient detail at authorization boundaries. Load balancers are that boundary, and access logs capture source IPs, timestamps, request details, and response codes for every connection, satisfying both controls at the Moderate baseline.
Related controls
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
elb_application_classic_lb_logging_enabledAWS Config Managed Rule:
ELB_LOGGING_ENABLEDCheckov Checks:
CKV_AWS_91,CKV_AWS_92Powerpipe Control:
aws_compliance.control.elb_application_classic_lb_logging_enabledProwler Checks:
elb_logging_enabled,elbv2_logging_enabledAWS Security Hub Control:
ELB.5KICS Queries:
20018359-6fd7-4d05-ab26-d4dffccbdf79,3e34db4f-0ad9-4290-bfd0-4a9ee884acaf
Last reviewed: 2026-03-09