Open menu
-->

AWS ELB Best Practices

Elastic Load Balancers (ELB) distributes all incoming system traffic automatically between your EC2 instances.



Elastic Load Balancers (ELB) distributes all incoming system traffic automatically between your EC2 instances. This service enables high availability and fault tolerance by evenly distributing the incoming load between your virtual machines.

Cloud Conformity checks AWS Elastic Load Balancing (ELB) service according to the following rules:

Enable HTTPS/SSL Listener for App-Tier ELBs
Ensure app tier ELB is using HTTPS listener.

Enable Latest SSL Security Policy for App-Tier ELBs
Ensure app tier ELB have the latest SSL security policy configured.

Add SSL/TLS Server Certificates to App-Tier ELBs
Ensure app tier ELB have an SSL/TLS certificate attached.

App-Tier ELBs Health Check
Ensure app tier Elastic Load Balancer has application layer health check configured.

Enable AWS ELB Access Logging
Ensure that your AWS Elastic Load Balancers use access logging to analyze traffic patterns and identify and troubleshoot security issues.

AWS Classic Load Balancer
Ensure HTTP/HTTPS applications are using Application Load Balancer instead of Classic Load Balancer for cost and web traffic distribution optimization.

Connection Draining Enabled
With Connection Draining feature enabled, if an EC2 backend instance fails health checks the Elastic Load Balancer will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to complete for the duration of the configured timeout.

Enable AWS ELB Cross-Zone Load Balancing
Ensure high availability for your ELBs by using Cross-Zone Load Balancing with multiple subnets in different AZs.

Idle AWS ELBs
Identify idle Elastic Load Balancers (ELBs) and terminate them in order to optimize AWS costs.

AWS ELB insecure SSL ciphers
Ensure your ELBs do not use insecure or deprecated SSL ciphers.

AWS ELB insecure SSL protocols
Ensure your ELBs do not use insecure SSL protocols.

AWS ELB Listener Security
Ensure that your AWS ELBs listeners are using a secure protocol (HTTPS or SSL).

AWS ELB minimum number of EC2 instances
Ensure there is a minimum number of two healthy backend instances associated with each ELB.

ELB Security Group
Ensure there are valid security groups associated with your Elastic Load Balancer.

AWS ELB Security Policy
Ensure AWS ELBs are using the latest predefined security policies.

Remove unused AWS ELBs
Identify and remove any unused Elastic Load Balancers for cost optimization.

AWS ELB Instances Distribution Across AZs
Ensure even distribution of backend instances registered to an ELB across Availability Zones.

Review AWS Internet Facing Load Balancers
Ensure Amazon internet-facing ELBs/ALBs are regularly reviewed for security purposes (informational).

Enable HTTPS/SSL Listener for Web-Tier ELBs
Ensure web tier ELB is using HTTPS listener.

Enable Latest SSL Security Policy for Web-Tier ELBs
Ensure web tier ELB have the latest SSL security policy configured.

Add SSL/TLS Server Certificates to Web-Tier ELBs
Ensure web tier ELB have an SSL/TLS certificate attached.

Web-Tier ELBs Health Check
Ensure web tier Elastic Load Balancer has application layer health check configured.