CKV_AWS_91: Support AWS::Logs::Delivery as valid NLB access logging configuration #7414
Description
Describe the issue
Check ID: CKV_AWS_91
This check verifies that Network Load Balancers have access logging enabled by looking for access_logs.s3.enabled in LoadBalancerAttributes. However, that is now considered legacy after AWS introduced a new method for NLB access logs in November 2025, supporting Amazon CloudWatch Logs, Amazon Data Firehose, and Amazon Simple Storage Service (Amazon S3).
The check should be updated to also recognize this new delivery method as valid access logging configuration.
Examples
CloudFormation template with access logging enabled via AWS::Logs::Delivery:
Resources:
NlbDeliveryDestination:
Type: AWS::Logs::DeliveryDestination
Properties:
Name: my-nlb-cloudwatch-destination
DeliveryDestinationType: CWL
DestinationResourceArn: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/vendedlogs/nlb-access-logs"
NlbDeliverySource:
Type: AWS::Logs::DeliverySource
Properties:
Name: my-nlb-access-logs-source
LogType: NLB_ACCESS_LOGS
ResourceArn: !Ref ElasticLoadBalancer
NlbLogDelivery:
Type: AWS::Logs::Delivery
Properties:
DeliverySourceName: !Ref NlbDeliverySource
DeliveryDestinationArn: !GetAtt NlbDeliveryDestination.Arn
ElasticLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: my-nlb
Type: network
Scheme: internal
Subnets:
- subnet-12345Expected: PASSED - Access logging is configured via AWS::Logs::Delivery with LogType: NLB_ACCESS_LOGS
Actual: FAILED - Check only looks for access_logs.s3.enabled attribute
Suggested fix
The check should pass if either:
access_logs.s3.enabled: trueis set in LoadBalancerAttributes (current behavior), OR- A valid
AWS::Logs::Deliveryexists with aAWS::Logs::DeliverySourcefor the LB and a correspondingAWS::Logs::DeliveryDestination:- Amazon CloudWatch Logs
- Amazon S3
- Amazon Data Firehose
Version (please complete the following information):
- Checkov Version: 3.2.497
Additional context
AWS documentation: