Ensure no Application Load Balancer allows incoming traffic from 0.0.0.0/0 to known UDP port
In order to implement the principle of least privilege and reduce the possibility of a breach. Always make sure Application Load Balancers are not exposed incoming traffic from 0.0.0.0/0 to known UDP ports.
Risk Level: Medium
Cloud Entity: Application Load Balancer
CloudGuard Rule ID: D9.AWS.NET.83
Covered by Spectral: No
Category: Networking & Content Delivery
GSL LOGIC
ApplicationLoadBalancer where isPublic=true should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_UDP_Ports) and protocol in('UDP', 'ALL') ] ] ]
REMEDIATION
From Portal
A)
- Sign in to the AWS Management Console.Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
- In the NETWORK & SECURITY tab, choose Security Groups.
- Create a new Security group, add an appropriate scope other than 0.0.0.0/0 in the inbound rules.
B) - Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- On the navigation pane, under LOAD BALANCING, choose Load Balancers.
- Select the load balancer.
- On the Description tab, under Security, choose Edit security groups.
- To associate a security group with your load balancer, select it. To remove a security group from your load balancer, clear it.
- Choose Save.
From Command Line
- Create a new security group to replace the insecure security which is currently attached to the ALB.
aws ec2 create-security-group --region REGION --group-name SG_NAME --description "SECURE SG" --vpc-id VPC_ID
- Add an inbound rule with appropriate scope/cidr range in order to limit the incoming traffic.
aws ec2 authorize-security-group-ingress --group-name MySecurityGroup --protocol tcp --port PORT --cidr CIDR_BLOCK
- Use set-security-groups command to replace the existing security group with new secure one.
aws elbv2 set-security-groups --region REGION --load-balancer-arn ALB_ARN --security-groups SG_ID
From CFT
Use the link from references to Cloudformation resource load balancer and configure the security group with appropriate settings in order to limit the incoming traffic.
From TF
Use the link from references to Terraform resource load balancer and configure the security group with appropriate settings in order to limit the incoming traffic.
References
- https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html
- https://docs.aws.amazon.com/cli/latest/reference/elbv2/set-security-groups.html
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-loadbalancer.html#cfn-elasticloadbalancingv2-loadbalancer-securitygroups
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
Application Load Balancer
An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CSA CCM v.3.0.1
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard CheckUp
- AWS CloudGuard Network Alerts for default VPC components
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS GDPR Readiness
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated over 1 year ago