Open menu
-->

Review AWS Internet Facing Load Balancers

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that all Amazon internet-facing load balancers (Classic Load Balancers and Application Load Balancers) provisioned within your AWS account are regularly reviewed for security purposes. An internet-facing AWS ELB/ALB has a publicly resolvable DNS name, required to route HTTP(S) requests from clients over the Internet to the EC2 instances that are registered with the load balancer. Contrarily, an internal AWS load balancer is usually used within a multi-tier architecture, where you have front-end web servers that make requests to the internal AWS ELB/ALB, using private IP addresses that are resolved from the internal ELB/ALB DNS name.
Cloud Conformity recommends reviewing your internet-facing load balancers on a regular basis to ensure that the scheme used fits your requirements from the security standpoint.

This rule resolution is part of the Cloud Conformity Cost Optimisation Package

Using the right scheme (internal or internet-facing) for your AWS Classic Load Balancers (ELBs) and Application Load Balancers (ALBs) is essential for maintaining your load balancing architecture secure.

Audit

To identify the scheme used by the ELBs/ALBs provisioned within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the load balancer that you want to examine.

05 Select the Description tab from the dashboard bottom panel.

06 Within the Basic Configuration section, check the Scheme attribute value set for the selected load balancer (regardless of the load balancer type – ELB or ALB). If the Scheme attribute value is set to internet-facing, the selected ELB/ALB is internet-facing and routes requests from clients over the Internet to the registered backend EC2 instances, therefore it must be reviewed from the security standpoint.

07 Repeat steps no. 4 – 6 to determine the scheme used by other Amazon load balancers available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Based on the scheme used by your load balancers (i.e. internal or internet-facing), perform the following commands:

  1. For Classic Load Balancers (ELBs):
    • Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the names of all your AWS ELBs provisioned within the selected region:
      aws elb describe-load-balancers
      	--region us-east-1
      	--output table
      	--query 'LoadBalancerDescriptions[*].LoadBalancerName'
      
    • The command output should return a table with the requested ELB name(s):
      ------------------------------
      |    DescribeLoadBalancers   |
      +----------------------------+
      |  cloud-conformity-web-elb  |
      |  cc-frontend-web-app-elb   |
      +----------------------------+
      
    • Run again describe-load-balancers command (OSX/Linux/UNIX) using the name of the ELB returned at the previous step and custom filtering to expose the scheme used by the selected Classic Load Balancer:
      aws elb describe-load-balancers
      	--region us-east-1
      	--load-balancer-name cloud-conformity-web-elb
      	--query 'LoadBalancerDescriptions[*].Scheme'
      
    • The command output should return the name of the scheme utilized by the specified ELB:
      [
          "internet-facing"
      ]
      

      If the command output returns "internet-facing" (as shown in the example above), the selected Classic Load Balancer is internet-facing and routes HTTP(S) requests from clients over the Internet to the registered EC2 instances, therefore it should be regularly reviewed.
  2. For Application Load Balancers (ALBs):
    • Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the names of all your Amazon ALBs available in the selected AWS region:
      aws elbv2 describe-load-balancers
      	--region us-east-1
      	--output table
      	--query 'LoadBalancers[*].LoadBalancerName'
      
    • The command output should return a table with the requested ALB name(s):
      ------------------------------
      |    DescribeLoadBalancers   |
      +----------------------------+
      |  cloud-conformity-web-alb  |
      +----------------------------+
      
    • Run again describe-load-balancers command (OSX/Linux/UNIX) using the name of the ALB returned at the previous step and custom filtering to reveal the scheme used by the selected Application Load Balancer:
      aws elbv2 describe-load-balancers
      	--region us-east-1
      	--query 'LoadBalancers[*].Scheme'
      
    • The command output should return the name of the scheme utilized by the specified ALB:
      [
          "internet-facing"
      ]
      

      If the describe-load-balancers command output returns "internet-facing" (as shown in the example above), the selected Application Load Balancer is internet-facing and routes requests from clients over the Internet to the registered EC2 backend instances, therefore it should be reviewed for security purposes.

02 Repeat step no. 1 (a. and b.) to determine the scheme used by other AWS load balancers available in the current region.

03 Repeat step no. 1 (a. and b.) to determine the scheme used by other AWS load balancers available in the current region.Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation/Resolution:

Case A: Review your internet-facing load balancers (ELBs and ALBs) and maintain the current scheme configuration. In this case your Amazon load balancers are publicly accessible from the Internet by design and intentional (i.e. these comply with the security requirements established within your organization).
Case B: Review your internet-facing load balancers and change the scheme configuration for any load balancing resources (ELBs and ALBs) that are not following the regulatory security requirements. To change the scheme for your AWS load balancers you need to re-create these with the internal scheme configuration. To create internal Amazon ELBs/ALBs, perform the following:
Create internal Classic Load Balancers (ELBs):

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Click Create load balancer from the dashboard top menu, select Classic Load Balancer then click Continue.

05 On the Step 1: Define Load Balancer page, provide a unique name for your new AWS ELB, select the appropriate VPC from the Create LB Inside dropdown list and check Create an internal load balancer checkbox to set up the load balancer scheme. Check Enable advanced VPC configuration to configure the necessary listeners and availability zones. Once all these are configured, click Next: Assign Security Groups to continue the process with the security groups setup.

06 On the Step 2: Assign Security Groups page, select Create a new security group option and provide a name and a short description for the new security group. The new security group should contain a rule that allows traffic to the port that you configured your AWS load balancer to use. If you choose to use a different port for ELB health checks, just click Add Rule and add a rule that allows inbound traffic to that port as well. Click Next: Configure Security Settings.

07 On the Step 3: Configure Security Settings page, create the necessary HTTPS listener for your new ELB. If your Classic Load Balancer is not using an HTTPS listener just skip this page and click Next: Configure Health Check to continue with the next step.

08 On the Step 4: Configure Health Check page, configure the health check settings (if required) then choose Next: Add EC2 Instances.

09 On the Step 5: Add EC2 Instances page, select the EC2 instances to register with your ELB (i.e. backend instances), then click Next: Add Tags.

10 On the Step 6: Add Tags page, you can add tags to your ELB. Once these are added, click Review and Create.

11 On the Step 7: Review page, examine the ELB configuration details then click Create to build your internal Classic Load Balancer.

12 On the Load Balancer Creation status page, wait for the confirmation message then click Close to return to the dashboard.

13 Repeat steps no. 4 - 12 to launch additional internal ELBs within the current region.

14 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run create-load-balancer command (OSX/Linux/UNIX) to create an internal AWS Classic Load Balancer (ELB) named "cloud-conformity-internal-elb":

aws elb create-load-balancer
	--region us-east-1
	--load-balancer-name cloud-conformity-internal-elb
	--scheme internal
	--listeners Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80
	--subnets subnet-19e73c6d subnet-2b394593
	--security-groups sg-cde853a6

02 The command output should return the DNS endpoint for the internal AWS ELB:

{
   "DNSName": "internal-cloud-conformity-internal-elb-19765346423.us-east-1.elb.amazonaws.com"
}

03 Now run register-instances-with-load-balancer command (OSX/Linux/UNIX) to register the necessary EC2 instance(s) with the AWS Classic Load Balancer created at the previous steps:

aws elb register-instances-with-load-balancer
	--region us-east-1
	--load-balancer-name cloud-conformity-internal-elb
	--instances i-045ce6fda405da1b3 i-0f1a7517a463e674a

04 The command output should return the IDs of the backend instances registered with the ELB:

{
    "Instances": [
        {
            "InstanceId": "i-045ce6fda405da1b3"
        },
        {
            "InstanceId": "i-0f1a7517a463e674a"
        }
    ]
}

05 Repeat steps no. 1 - 4 to launch additional internal ELBs within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 for other regions.

Create internal Application Load Balancers (ELBs):

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Click Create load balancer from the dashboard top menu, select Application Load Balancer then click Continue.

05 On the Step 1: Configure Load Balancer page, provide a unique name for your new AWS ALB then set the load balancer Scheme to internal. Configure the necessary listeners and availability zones then once all these are configured, use the Add tag button, available in the Tags section, to attach tags to your new ALB. Click Next: Configure Security Settings to continue the setup process.

06 On the Step 2: Configure Security Settings page, create the necessary HTTPS listener for your new ELB. If your Application Load Balancer is not using an HTTPS listener just skip this page and click Next: Configure Security Groups to continue the process.

07 On the Step 3: Configure Security Groups page, select Create a new security group and provide a name and a short description for the new security group. This security group should contain a rule that allows traffic to the port that you configured your ALB to use. Click Next: Configure Routing.

08 On the Step 4: Configure Routing page, choose an existing Target Group or set a new one based on your requirements. In the Health checks section, click Advanced health check settings and configure the new load balancer health checks. Click Next: Register Targets to continue the ALB setup process.

09 On the Step 5: Register Targets page, use the Add to registered button to attach the necessary backend instances to the internal ALB. The new ALB will start routing requests to the registered EC2 instances as soon as the setup process is complete and the instances pass the initial health checks. Click Next: Review.

10 On the Step 6: Review page, examine all the required configuration details then click Create to build your new internal Application Load Balancer (ALB).

11 On the Load Balancer Creation status page, wait for the confirmation message then click Close to return to the dashboard.

12 Repeat steps no. 4 - 11 to create additional internal Amazon ALBs within the current region.

13 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run create-load-balancer command (OSX/Linux/UNIX) to launch a new internal AWS Application Load Balancer (ALB) named "cloud-conformity-internal-alb":

aws elbv2 create-load-balancer
	--region us-east-1
	--name cloud-conformity-internal-alb
	--scheme internal
	--subnets subnet-19e73c6d subnet-2b394593
	--security-groups sg-cde853a6
	--tags Key=Environment,Value=production

02 The command output should return the new ALB metadata:

{
    "LoadBalancers": [
        {
            "VpcId": "vpc-3df56547",
            "State": {
                "Code": "provisioning"
            },
            "DNSName": "internal-cloud-conformity-internal-alb-19908854356.us-east-1.elb.amazonaws.com",
            "SecurityGroups": [
                "sg-cde853a6"
            ],
            "LoadBalancerName": "cloud-conformity-internal-alb",
            "CreatedTime": "2017-06-24T15:48:32.940Z",
            "Scheme": "internal ",
            "Type": "application",
            "CanonicalHostedZoneId": "ZD74XDOTRQ7X8M",
            "AvailabilityZones": [
                {
                    "SubnetId": "subnet-19e73c6d",
                    "ZoneName": "us-east-1a"
                },
                {
                    "SubnetId": "subnet-2b394593",
                    "ZoneName": "us-east-1b"
                }
            ]
        }
    ]
}

03 Run create-target-group command (OSX/Linux/UNIX) using the existing ELB configuration details returned at the previous step to build the required target group for the newly created internal ALB:

aws elbv2 create-target-group
	--region us-east-1
	--name cloud-conformity-target-group
	--protocol HTTP
	--port 80
	--vpc-id vpc-3df56547
	--health-check-protocol HTTP
	--health-check-port traffic-port
	--health-check-path /index.html
	--health-check-interval-seconds 30
	--health-check-timeout-seconds 5
	--healthy-threshold-count 10
	--unhealthy-threshold-count 2

04 The command output should return the new target group metadata:

[
    "TargetGroups": [
        {
            "HealthCheckPath": "/index.html",
            "HealthCheckIntervalSeconds": 30,
            "VpcId": "vpc-3df56547",
            "Protocol": "HTTP",
            "HealthCheckTimeoutSeconds": 5,
            "HealthCheckProtocol": "HTTP",

            ...

            "Matcher": {
                "HttpCode": "200"
            },
            "HealthCheckPort": "traffic-port",
            "Port": 80,
            "TargetGroupName": "cloud-conformity-target-group"
        }
    ]
}

05 Now run register-targets command (OSX/Linux/UNIX) to add the necessary targets, i.e. the backend EC2 instances, to the new target group created at the previous step (the command does not produce an output):

aws elbv2 register-targets
	--region us-east-1
	--target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cloud-conformity-target-group/3853a30941f6df0d
	--targets Id=i-045ce6fda405da1b3 Id=i-0f1a7517a463e674a

06 Run create-listener command (OSX/Linux/UNIX) to create, configure and attach the necessary HTTP/HTTPS listener to the newly created AWS ALB:

aws elbv2 create-listener
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cloud-conformity-internal-alb/5cab232aa162303e
	--protocol HTTP
	--port 80
	--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cloud-conformity-target-group/3853a30941f6df0d

07 The command output should return the target group metadata:

{
   "Listeners": [
      {
         "Protocol": "HTTP",
         "DefaultActions": [
             {
                "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cloud-conformity-target-group/3853a30941f6df0d",
                "Type": "forward"
             }
         ],
         "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cloud-conformity-internal-alb/5cab232aa162303e”,
         "Port": 80,
         "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/ cloud-conformity-internal-alb/4cbe232aa162303a/5f7261424793c94a"
      }
   ]
}

08 Repeat steps no. 1 - 7 to launch additional internal ALBs within the current region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 for other regions.

References

Publication date Jul 12, 2017