Risk Level: Low
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.AWS.NET.44
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

ELB should not have securityGroups with [ outboundRules isEmpty() ]

REMEDIATION

From Portal

Log in to the AWS console
In the console, select the specific region
Navigate to EC2 Dashboard
Click 'Load Balancers', select the reported load balancer
Select the Security tab from the bottom panel.
Click on each associated security group ID under Security Group ID column to open the selected security group configuration page.
Click the 'Outbound Rules'
If there are no rules, click 'Edit rules', add an outbound rule according to your ELB functional requirements.

From Command Line

To add a rule that allows outbound traffic to a specific address range. Below example command adds a rule that grants access to the specified address ranges on TCP port 80.

Command (Linux):

aws ec2 authorize-security-group-egress --group-id security_group_id --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges=[{CidrIp=10.0.0.0/16}]

Command (Windows):

aws ec2 authorize-security-group-egress --group-id security_group_id --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges=[{CidrIp=10.0.0.0/16}]

To add a rule that allows outbound traffic to a specific security group. Below example command adds a rule that grants access to the specified security group on TCP port 80.
Command (Linux):

aws ec2 authorize-security-group-egress --group-id security_group_id --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,UserIdGroupPairs='[{GroupId=sg-4b51a32f}]'

Command (Windows):

aws ec2 authorize-security-group-egress --group-id security_group_id --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,UserIdGroupPairs=[{GroupId=sg-4b51a32f}]

References

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-egress.html

Elastic Load Balancing (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Compliance Frameworks

AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset