Ensure that AWS Elastic Load Balancers (ELB) have inbound rules in their security groups
ELB security groups should have at least one inbound rule. ELBs with no inbound permissions will deny all traffic incoming to the ELB.
Risk Level: Low
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.AWS.NET.50
Covered by Spectral: No
Category: Networking & Content Delivery
GSL LOGIC
ELB should not have securityGroups with [ inboundRules isEmpty() ]
REMEDIATION
From Portal:
- Log in to the AWS console
- In the console, select the specific region
- Navigate to EC2 Dashboard
- Click 'Load Balancers', select the reported load balancer
- Select the Security tab from the bottom panel.
- Click on each associated security group ID under Security Group ID column to open the selected security group configuration page.
- Click the 'Inbound Rules'
- If there are no rules, click 'Edit rules' and create an inbound rule according to your ELB functional requirement.
From Command Line:
To add a rule that allows Inbound traffic to a specific address range. Below example command adds a rule that grants access to the desired address range on TCP port 22.
aws ec2 authorize-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 22 --cidr IP_address_range
References:
- https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
- https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html
Elastic Load Balancing (ELB)
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago