Open menu
-->

ELB Security Group

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 10 November 2017
Security

Risk level: High (act today)

Check your Elastic Load Balancer (ELB) security layer for at least one valid security group that restrict access only to the ports defined in the load balancer listeners configuration.

This rule resolution is part of the Cloud Conformity Security Package

If your Elastic Load Balancer (ELB) is configured with a missing security group or a security group that grant access to any ports that are not defined in the listener configuration, the risk of data loss and unauthorized access increases.
If your ELB is created without specifying a security group, it is automatically associated with an invalid security group (VPC default security group).
If a security group associated with an existing ELB is deleted, the load balancer will stop working as expected.

Audit

Case A: to determine if your Elastic Load Balancer use invalid security groups, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Security tab from the bottom panel.

06 Under Security Group ID column:

Under Security Group ID column check for missing and invalid security groups

check for missing and invalid security groups. In the following example the only associated security group is the default VPC security group, which is invalid and it doesn't work with the ELB listeners configuration:

The default associated security group is the VPC security group

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) to return the IDs of the security groups associated with your Elastic Load Balancer:

aws elb describe-load-balancers
	--load-balancer-name MyWebELB

02 The command output should reveal the associated security groups IDs:

{
    "LoadBalancerDescriptions": [
        {
            "Subnets": [
                "subnet-91625dd7",
                "subnet-aaafce90",
                "subnet-d4247bfc",
                "subnet-df0e1cab"
            ],

            ...

            "SecurityGroups": [
                "sg-e95df78c"
            ],

            ...

            "Scheme": "internet-facing",
            "SourceSecurityGroup": {
                "OwnerAlias": "123456789012",
                "GroupName": "default"
            }
        }
    ]
}

03 If the security group is not allowing HTTP traffic to the ports defined in the load balancer listeners configuration (port 80 in this case), the security group is rendered invalid. Run describe-security-groups command (OSX/Linux/UNIX) using each security group ID exposed in the previous step to determine if the security group is invalid:

aws ec2 describe-security-groups
	--group-ids sg-e95df78c
	--filters Name=ip-permission.from-port,Values=80 Name=ip-permission.to-port,Values=80 Name=ip-permission.cidr,Values='0.0.0.0/0'
	--query 'SecurityGroups[*].{Name:GroupName}'

04 If the security group selected is not valid, the command output will return an empty object:

[]

Case B: to determine if your Elastic Load Balancer use any insecure security groups, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Listeners tab from the bottom panel.

06 And check the load balancer listeners configuration.

07 Select the Security tab from the bottom panel.

08 Click on each associated security group ID under Security Group ID column to open the selected security group configuration page.

09 Select the Inbound tab from the bottom panel and check for any inbound rules that are not defined in the ELB listeners configuration.

10 Select the Outbound tab from the bottom panel and check for any outbound rules that are not defined in the ELB listeners configuration. Any additional inbound or outbound rules defined in the selected security group configuration will increase the risk of unauthorized access and make the security group insecure.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) to return the IDs of the security groups associated with the Elastic Load Balancer:

aws elb describe-load-balancers
	--load-balancer-name MyWebELB

02 The command output should reveal the associated security groups IDs:

{
    "LoadBalancerDescriptions": [
        {
            "Subnets": [
                "subnet-91625dd7",
                "subnet-aaafce90",
                "subnet-d4247bfc",
                "subnet-df0e1cab"
            ],

            ...

            "SecurityGroups": [
                "sg-ca2404b2"
            ],

            ...

            "Scheme": "internet-facing",
            "SourceSecurityGroup": {
                "OwnerAlias": "123456789012",
                "GroupName": "default"
            }
        }
    ]
}

03 Run describe-security-groups command (OSX/Linux/UNIX) using each security group ID returned in the previous step to determine if the security group is insecure:

aws ec2 describe-security-groups
	--group-ids sg-ca2404b2

04 If the associated security group allows access to any ports that are not defined in the ELB listeners configuration, the security group is rendered insecure. The command output should reveal the selected security group inbound and outbound port configuration:

{
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [
                {
                    "PrefixListIds": [],
                    "FromPort": 80,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 80,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": []
                },
                {
                    "PrefixListIds": [],
                    "FromPort": 22,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 22,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": []
                }
            ],
            "Description": "ELBSG",
            "IpPermissions": [
                {
                    "PrefixListIds": [],
                    "FromPort": 80,



                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 80,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": []
                },
                {
                    "PrefixListIds": [],
                    "FromPort": 22,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 22,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": []
                }
            ],
            "GroupName": "MyWebELBSG",
            "VpcId": "vpc-f7ac5792",
            "OwnerId": "123456789012",
            "GroupId": "sg-ca2404b2"
        }
    ]
}

Remediation / Resolution

To update an insecure or invalid security group assigned to your load balancer, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Security tab from the bottom panel.

06 Click on each associated security group ID under Security Group ID column to open the selected security group configuration page.

07 Select the Inbound tab from the bottom panel and click the Edit button.

08 In the Edit inbound rules dialog box:

  1. Click Add Rule to add inbound rules in order to match the listeners defined in the ELB configuration, then click Save: Click Add Rule to add inbound rules in order to match the listeners defined in the ELB configuration, then click Save
  2. Click the delete button:Click the delete buttonto delete inbound rules in order to match the listeners defined in the ELB configuration, then click Save: click Save

09 Select the Outbound tab from the bottom panel and click the Edit button.

10 In the Edit Outbound rules dialog box:

  1. Click Add Rule to add inbound rules in order to match the listeners defined in the ELB configuration, then click Save: Click Add Rule to add inbound rules in order to match the listeners defined in the ELB configuration, then click Save
  2. Click the delete button:Click the delete buttonto delete inbound rules in order to match the listeners defined in the ELB configuration, then click Save: click Save

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) to return the IDs of the security groups associated with your Elastic Load Balancer:

aws elb describe-load-balancers
	--load-balancer-name MyWebELB

02 The command output should reveal the associated security groups IDs:

{
    "LoadBalancerDescriptions": [
        {
            "Subnets": [
                "subnet-91625dd7",
                "subnet-aaafce90",
                "subnet-d4247bfc",
                "subnet-df0e1cab"
            ],
            ...
            "SecurityGroups": [
                "sg-ca2404b2"
            ],
            ...
            "Scheme": "internet-facing",
            "SourceSecurityGroup": {
                "OwnerAlias": "123456789012",
                "GroupName": "default"
            }
        }
    ]
}

03 To add one or more inbound (ingress) rules to the selected security group run authorize-security-group-ingress command (OSX/Linux/UNIX):

aws ec2 authorize-security-group-ingress
	--group-id sg-ca2404b2
	--protocol tcp
	--port 443 --cidr 0.0.0.0/0

04 To remove one or more inbound (ingress) rules from the selected security group run revoke-security-group-ingress command (OSX/Linux/UNIX):

aws ec2 revoke-security-group-ingress
	--group-id sg-ca2404b2
	--protocol tcp
	--port 22
	--cidr 0.0.0.0/0

05 To add one or more outbound (egress) rules to the selected security group run authorize-security-group-egress command (OSX/Linux/UNIX):

aws ec2 authorize-security-group-egress
	--group-id sg-ca2404b2
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

06 To remove one or more outbound (egress) rules from the selected security group run revoke-security-group-egress command (OSX/Linux/UNIX):

aws ec2 revoke-security-group-egress
	--group-id sg-ca2404b2
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run again describe-security-groups command (OSX/Linux/UNIX) to verify that the selected security group have been successfully updated:

aws ec2 describe-security-groups	--group-ids sg-ca2404b2

08 The command output should reveal the new security group configuration for inbound and outbound traffic:

{
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [
                {
                    "PrefixListIds": [],
                    "FromPort": 80,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 80,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": []
                },
                {
                    "PrefixListIds": [],
                    "FromPort": 443,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 443,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": []
                }
            ],
            "Description": "ELBSG",
            "IpPermissions": [
                {
                    "PrefixListIds": [],
                    "FromPort": 80,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 80,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": []
                },
                {
                    "PrefixListIds": [],
                    "FromPort": 443,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 443,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": []
                }
            ],
            "GroupName": "MyWebELBSG",
            "VpcId": "vpc-f7ac5792",
            "OwnerId": "123456789012",
            "GroupId": "sg-ca2404b2"
        }
    ]
}

References

Publication date Apr 6, 2016