Open menu
-->

Enable Elastic Load Balancing Deletion Protection

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure ELBv2 Load Balancers have Deletion Protection feature enabled in order to protect them from being accidentally deleted.

With Deletion Protection safety feature enabled, you have the guarantee that your AWS load balancers cannot be accidentally deleted and make sure that your load-balanced environments remain safe.

Audit

To determine if your load balancers (ELBv2) are protected against accidental deletion, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the AWS load balancer that you want to examine.

05 Select Description tab from the dashboard bottom panel to view the ELBv2 resource description.

06 Inside Attributes section, check the Deletion Protection configuration attribute value. If the attribute value is set to Disabled, the Deletion Protection safety feature is not enabled for the selected AWS load balancer.

07 Repeat steps no. 4 – 6 to verify Deletion Protection feature status for other AWS load balancers provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of all your load balancers (ELBv2) available within the selected region:

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[*].LoadBalancerArn'

02 The command output should return an array with the requested ELBv2 ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-alb/aaaabbbbccccdddd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-elb/aaaabbbbccccdddd"
]

03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as identifier and custom query filters to check the Deletion Protection feature status for the selected ELBv2 resource:

aws elbv2 describe-load-balancer-attributes
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-alb/aaaabbbbccccdddd
	--query 'Attributes[?(Key == `deletion_protection.enabled`)].Value | []'

04 The command output should return the requested feature status (true for enabled, false for disabled):

[
    "false"
]

If the describe-load-balancer-attributes command output returns "false", as shown in the output example above, the Deletion Protection safety feature is not currently enabled for the selected load balancer.

05 Repeat step no. 3 and 4 to verify Deletion Protection feature status for other AWS load balancers provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Deletion Protection safety feature for your AWS Application Load Balancers and Network Load Balancers (ELBv2), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the ELBv2 load balancer that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select Description tab from the dashboard bottom panel to view the resource description.

06 Within Attributes section, click Edit attributes button to access the load balancer attributes configuration.

07 Inside Edit load balancer attributes dialog box, select the checkbox next to Enable deletion protection, then click Save to apply the change and enable the Deletion Protection feature. The Deletion Protection attribute value should change now to Enabled.

08 Repeat steps no. 4 – 7 to enable deletion protection for other AWS load balancers provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to reconfigure as identifier to enable Deletion Protection safety feature for the selected ELBv2 resource:

aws elbv2 modify-load-balancer-attributes
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-alb/aaaabbbbccccdddd
	--attributes Key=deletion_protection.enabled,Value=true

02 The command output should return the metadata for the modified load balancer attributes:

{
    "Attributes": [
        {
            "Value": "true",
            "Key": "deletion_protection.enabled"
        },
        {
            "Value": "false",
            "Key": "access_logs.s3.enabled"
        },
        {
            "Value": "60",
            "Key": "idle_timeout.timeout_seconds"
        },
        {
            "Value": "",
            "Key": "access_logs.s3.prefix"
        },
        {
            "Value": "",
            "Key": "access_logs.s3.bucket"
        }
    ]
}

03 Repeat step no. 1 and 2 to enable deletion protection for other Amazon load balancers available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the remediation process for other regions.

References

Publication date Nov 15, 2017