Ensure that a classic Load balancer is not internet facing
If a load balancer is internet facing, it increases attack vector reachability.
Risk Level: Low
Cloud Entity: AWS ElasticLoadBalancing LoadBalancer
CloudGuard Rule ID: D9.CFT.NET.09
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
AWS_ElasticLoadBalancing_LoadBalancer should have Scheme='internal'
REMEDIATION
From CFT
Set AWS::ElasticLoadBalancing::LoadBalancer Scheme
property to 'internal'.
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html#cfn-ec2-elb-scheme
- https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-internal-load-balancers.html
AWS ElasticLoadBalancing LoadBalancer
AWS::ElasticLoadBalancing::LoadBalancer Specifies a Classic Load Balancer.You can specify the AvailabilityZones or Subnets property, but not both.If this resource has a public IP address and is also in a VPC that is defined in the same template, you must use the DependsOn attribute to declare a dependency on the VPC-gateway attachment.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago