Risk Level: High
Cloud Entity: Application Load Balancer
CloudGuard Rule ID: D9.AWS.NET.85
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

ApplicationLoadBalancer where isPublic=true should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_DB_UDP_Ports) and protocol in('UDP', 'ALL') ] ] ]

REMEDIATION

From Portal
A)

Sign in to the AWS Management Console.Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
In the NETWORK & SECURITY tab, choose Security Groups.
Create a new Security group, add an appropriate scope other than 0.0.0.0/0 in the inbound rules.
B)
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under LOAD BALANCING, choose Load Balancers.
Select the load balancer.
On the Description tab, under Security, choose Edit security groups.
To associate a security group with your load balancer, select it. To remove a security group from your load balancer, clear it.
Choose Save.

From Command Line

Create a new security group to replace the insecure security which is currently attached to the ALB.

aws ec2 create-security-group	--region REGION --group-name SG_NAME --description "SECURE SG" --vpc-id VPC_ID

Add an inbound rule with appropriate scope/cidr range in order to limit the incoming traffic.

aws ec2 authorize-security-group-ingress --group-name MySecurityGroup --protocol tcp --port PORT --cidr CIDR_BLOCK

Use set-security-groups command to replace the existing security group with new secure one.

aws elbv2 set-security-groups --region REGION --load-balancer-arn ALB_ARN --security-groups SG_ID

From CFT
Use the link from references to Cloudformation resource load balancer and configure the security group with appropriate settings in order to limit the incoming traffic.

From TF
Use the link from references to Terraform resource load balancer and configure the security group with appropriate settings in order to limit the incoming traffic.

References

Application Load Balancer

An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.

Compliance Frameworks

AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard CheckUp
AWS CloudGuard Network Alerts for default VPC components
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS GDPR Readiness
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS LGPD regulation
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset
CloudGuard AWS Default Ruleset