Ensure that a Load balancer is not internet facing
If a load balancer is internet facing, it increases attack vector reachability.
Risk Level: Low
Cloud Entity: AWS ElasticLoadBalancingV2 LoadBalancer
CloudGuard Rule ID: D9.CFT.NET.10
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
AWS_ElasticLoadBalancingV2_LoadBalancer should have Scheme='internal'
REMEDIATION
From CFT
Set AWS::ElasticLoadBalancingV2::LoadBalancer Scheme property to 'internal'.
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-loadbalancer.html#cfn-elasticloadbalancingv2-loadbalancer-scheme
- https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-internal-load-balancers.html
AWS ElasticLoadBalancingV2 LoadBalancer
Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets, and routes traffic only to the healthy targets. Elastic Load Balancing scales your load balancer as your incoming traffic changes over time. It can automatically scale to the vast majority of workloads. AWS::ElasticLoadBalancingV2::LoadBalancer Specifies an Application Load Balancer, a Network Load Balancer, or a Gateway Load Balancer.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated about 1 year ago