Ensure that a classic Load balancer is not internet facing

If a load balancer is internet facing, it increases attack vector reachability.

Risk Level: Low
Cloud Entity: AWS ElasticLoadBalancing LoadBalancer
CloudGuard Rule ID: D9.CFT.NET.09
Covered by Spectral: Yes
Category: Compute


AWS_ElasticLoadBalancing_LoadBalancer should have Scheme='internal'


From CFT
Set AWS::ElasticLoadBalancing::LoadBalancer Scheme property to 'internal'.


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html#cfn-ec2-elb-scheme
  2. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-internal-load-balancers.html

AWS ElasticLoadBalancing LoadBalancer

AWS::ElasticLoadBalancing::LoadBalancer Specifies a Classic Load Balancer.You can specify the AvailabilityZones or Subnets property, but not both.If this resource has a public IP address and is also in a VPC that is defined in the same template, you must use the DependsOn attribute to declare a dependency on the VPC-gateway attachment.

Compliance Frameworks

  • AWS CloudFormation ruleset