0

I have come across a question on AWS that to track Originating IP or Client IP that has been processed by the EC2 instance or application.

I get confused because Originating IP or Client IP can be seen in VPC flow logs, cloud trail logs and ELB logs.

For example, here is one of the questions I have come across in one of the mock tests:

An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. The Information Security team wants to track application requests by the originating IP and the EC2 instance that processes the request. Which of the following tools or services provides this information?

  • AWS CloudTrail
  • Elastic Load Balancing access logs
  • VPC Flow Logs
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
SudhirKumar
  • 366
  • 2
  • 4
  • 16

1 Answers1

1

An Application Load Balancer "retransmits" the request to the EC2 instance. Thus, it does not appear to come from the originator.

The Elastic Load Balancing access logs will contain the originator information.

From Capture Client IP Addresses in Your ELB Access Logs:

For Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners, you must use X-Forwarded-For headers to capture client IP addresses. Then, you must print those client IP addresses in your access logs.

AWS CloudTrail keeps a record of API Calls made to AWS, so it will not contain traffic sent through a Load Balancer.

VPC Flow Logs show the source and destination of each packet within a VPC. Any packets between the Load Balancer and the EC2 instance would only show that traffic (ALB -> EC2). They would not show the traffic prior to the Load Balancer.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • i understand VPC flow logs will show network interface address as Source address but AWS Cloudtrail logs shows SourceIpAddress. – SudhirKumar Dec 03 '20 at 05:22
  • Traffic flowing through a Load Balancer will _not_ appear in CloudTrail because AWS CloudTrail only logs API calls to AWS (eg RunInstances, ListBuckets, CreateVPC). It does not log traffic flowing through the VPC itself. – John Rotenstein Dec 03 '20 at 08:46
  • if a request is going to an Instance which is behind a LoadBalancer in a PVC and if i see this event in cloudtrail. What would be the sourceIpAdress? – SudhirKumar Dec 04 '20 at 02:05
  • Data flowing to an Amazon EC2 instance will not appear in AWS CloudTrail. The only items logged in CloudTrail are API calls made to the AWS service. – John Rotenstein Dec 04 '20 at 11:04