Ensure that all Amazon internet-facing load balancers (Classic Load Balancers and Application Load Balancers) provisioned within your AWS account are regularly reviewed for security purposes. An internet-facing AWS ELB/ALB has a publicly resolvable DNS name, required to route HTTP(S) requests from clients over the Internet to the EC2 instances that are registered with the load balancer. Contrarily, an internal AWS load balancer is usually used within a multi-tier architecture, where you have front-end web servers that make requests to the internal AWS ELB/ALB, using private IP addresses that are resolved from the internal ELB/ALB DNS name.
Cloud Conformity recommends reviewing your internet-facing load balancers on a regular basis to ensure that the scheme used fits your requirements from the security standpoint.
Using the right scheme (internal or internet-facing) for your AWS Classic Load Balancers (ELBs) and Application Load Balancers (ALBs) is essential for maintaining your load balancing architecture secure.
To identify the scheme used by the ELBs/ALBs provisioned within your AWS account, perform the following:
Case A: Review your internet-facing load balancers (ELBs and ALBs) and maintain the current scheme configuration. In this case your Amazon load balancers are publicly accessible from the Internet by design and intentional (i.e. these comply with the security requirements established within your organization).
Case B: Review your internet-facing load balancers and change the scheme configuration for any load balancing resources (ELBs and ALBs) that are not following the regulatory security requirements. To change the scheme for your AWS load balancers you need to re-create these with the internal scheme configuration. To create internal Amazon ELBs/ALBs, perform the following:
Create internal Classic Load Balancers (ELBs):
Create internal Application Load Balancers (ELBs):