Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known TCP port

In order to implement the principle of least privilege and reduce the possibility of a breach. Always make sure ELBS are not exposed incoming traffic from 0.0.0.0/0 to known TCP ports.

Risk Level: Medium
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.AWS.NET.86
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

ELB where isPublic=true should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_TCP_Ports) and protocol in('TCP', 'ALL') ] ] ]

REMEDIATION

From Portal
A)

  1. Sign in to the AWS Management Console.Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
  2. In the NETWORK & SECURITY tab, choose Security Groups.
  3. Create a new Security group, add an appropriate scope other than 0.0.0.0/0 in the inbound rules.
    B)
  4. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  5. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
  6. Select the load balancer.
  7. On the Description tab, under Security, choose Edit security groups.
  8. To associate a security group with your load balancer, select it. To remove a security group from your load balancer, clear it.
  9. Choose Save.

From Command Line

  1. Create a new security group to replace the insecure security which is currently attached to the ELB.
aws ec2 create-security-group	--region REGION --group-name SG_NAME --description "SECURE SG" --vpc-id VPC_ID
  1. Add an inbound rule with appropriate scope/cidr range in order to limit the incoming traffic.
aws ec2 authorize-security-group-ingress --group-name MySecurityGroup --protocol tcp --port PORT --cidr CIDR_BLOCK
  1. Use the following apply-security-groups-to-load-balancer command to associate a security group with a load balancer in a VPC. The specified security groups override the previously associated security groups.
aws elb apply-security-groups-to-load-balancer --load-balancer-name my-loadbalancer --security-groups sg-ID

From CFT
Use the link from references to Cloudformation resource load balancer and configure the security group with appropriate settings in order to limit the incoming traffic.

From TF
Use the link from references to Terraform resource load balancer and configure the security group with appropriate settings in order to limit the incoming traffic.

References

  1. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elb/apply-security-groups-to-load-balancer.html
  3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elb

Elastic Load Balancing (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset