Ensure that AWS Elastic Load Balancers (ELB) have outbound rules in their security groups

ELB security groups should have at least one outbound rule. ELBs with no outbound permissions will deny all outgoing traffic from the ELB.

Risk Level: Low
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.AWS.NET.44
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

ELB should not have securityGroups with [ outboundRules isEmpty() ]

REMEDIATION

From Portal

  1. Log in to the AWS console
  2. In the console, select the specific region
  3. Navigate to EC2 Dashboard
  4. Click 'Load Balancers', select the reported load balancer
  5. Select the Security tab from the bottom panel.
  6. Click on each associated security group ID under Security Group ID column to open the selected security group configuration page.
  7. Click the 'Outbound Rules'
  8. If there are no rules, click 'Edit rules', add an outbound rule according to your ELB functional requirements.

From Command Line

  1. To add a rule that allows outbound traffic to a specific address range. Below example command adds a rule that grants access to the specified address ranges on TCP port 80.

Command (Linux):

aws ec2 authorize-security-group-egress --group-id security_group_id --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges=[{CidrIp=10.0.0.0/16}]

Command (Windows):

aws ec2 authorize-security-group-egress --group-id security_group_id --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges=[{CidrIp=10.0.0.0/16}]
  1. To add a rule that allows outbound traffic to a specific security group. Below example command adds a rule that grants access to the specified security group on TCP port 80.
    Command (Linux):
aws ec2 authorize-security-group-egress --group-id security_group_id --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,UserIdGroupPairs='[{GroupId=sg-4b51a32f}]'

Command (Windows):

aws ec2 authorize-security-group-egress --group-id security_group_id --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,UserIdGroupPairs=[{GroupId=sg-4b51a32f}]

References

  1. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
  2. https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-egress.html

Elastic Load Balancing (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset