Open menu

AWS ELBv2 Security Groups

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base ELBv2 AWS ELBv2 Security Groups
Last updated: 08 April 2018
Security

Risk level: High (not acceptable risk)

Ensure that all Application Load Balancers (ALBs) available in your AWS account are associated with valid and secure security groups that restrict access only to the ports defined within the load balancers listeners configuration.

Having well-configured security groups attached to your ELBv2 load balancers can reduce substantially the risk of data loss and unauthorized access. Also, the security groups must be valid, because when a load balancer is created without specifying a security group, the ALB/NLB is automatically associated with the VPC’s default security group, which is considered invalid.

Audit

Case A: To determine if your ELBv2 load balancers are using insecure and invalid security groups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the load balancer that you want to examine.

05 Select the Listeners tab from the bottom panel to check the load balancer listeners configuration details (i.e. protocol and port).

06 Select Description tab from the dashboard bottom panel to view the ELBv2 resource description.

07 Within Security section, click on the listed security group ID, e.g. sg-1234abcd, to open the security group configuration page.

08 On the selected security group configuration page, perform the following checks:

  1. Select Description tab from the dashboard bottom panel and check the security group name listed as value for the Group name attribute. If the name is set to default, it references the VPC’s default security group, therefore the selected security group is considered invalid.
  2. Select Inbound tab from the dashboard bottom panel and check for any inbound/ingress rules that are not defined within the ELBv2 load balancer listeners configuration verified at step no. 5. If there are inbound rules that do not match the listeners current configuration, the selected security group is considered insecure.
  3. Select Outbound tab from the dashboard bottom panel and check for any outbound/egress rules that are not defined within the load balancer listeners configuration verified at step no. 5. If there are outbound rules that do not match the listeners current configuration, the selected security group is considered insecure.

09 Repeat steps no. 7 and 8 to check other security groups associated with the selected load balancer.

10 Repeat steps no. 4 – 9 to verify other Amazon ELBv2 load balancers, provisioned in the current region, for invalid/insecure security groups.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all existing AWS ELBv2 load balancers available in the selected region: 

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[*].LoadBalancerArn'

02 The command output should return a table with the requested Amazon Resource Names (ARNs): 

[

"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-frontend-alb/aaaabbbbccccdddd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-web-internal-alb/aaaabbbbccccdddd"

]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the ALB that you want to examine as identifier and custom query filters to describe the selected load balancer listeners configuration details (protocol and port): 

aws elbv2 describe-listeners
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-prod-alb/aaaabbbbccccdddd
	--query 'Listeners[*].[Protocol,Port]'

04 The command output should return the requested configuration information: 

[
    "HTTP",
    80
]

05 Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to expose the ID(s) of the security group(s) attached to the selected load balancer: 

aws elbv2 describe-load-balancers
	--region us-east-1
	--load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-frontend-alb/aaaabbbbccccdddd
	--query 'LoadBalancers[*].SecurityGroups[]'

06 The command output should return an array with the requested ID(s): 

[
    "sg-1234abcd"
]

07 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the security group returned at the previous step as identifier to list the security group configuration details (name, inbound/outbound rules, etc): 

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-1234abcd

08 The command output should return the requested configuration information: 

{
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "PrefixListIds": [],
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "UserIdGroupPairs": [],
                    "Ipv6Ranges": []
                }
            ],
            "Description": "ALB Web SG",
            "IpPermissions": [
                {
                    "PrefixListIds": [],
                    "FromPort": 80,
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "ToPort": 80,
                    "IpProtocol": "tcp",
                    "UserIdGroupPairs": [],
                    "Ipv6Ranges": []
                },
                {
                    "IpProtocol": "-1",
                    "PrefixListIds": [],
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "UserIdGroupPairs": [],
                    "Ipv6Ranges": []
                }
            ],
            "GroupName": "default",
            "VpcId": "vpc-12345678",
            "OwnerId": "123456789012",
            "GroupId": "sg-1234abcd"
        }
    ]
}

09 Based on the information returned at the previous step, perform the following checks:

  1. If the GroupName attribute value is set to "default", as shown in the example above, it references the VPC’s default security group, therefore the selected security group is considered invalid.
  2. If IpPermissions object contain inbound rules that do not match the listeners configuration returned at step no. 4, the selected security group is considered insecure.
  3. If IpPermissionsEgress object contain outbound rules that do not match the listeners configuration returned at step no. 4, the selected security group is considered insecure.

10 Repeat steps no. 7 – 9 to check other security groups associated with the selected load balancer.

11 Repeat steps no. 3 – 10 to verify other Amazon ELBv2 load balancers, available in the current region, for invalid/insecure security groups.

12 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 11 to perform the entire audit process for other regions.

Remediation / Resolution

To replace any invalid/insecure security group associated with your Amazon ELBv2 load balancers, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY, choose Security Groups.

04 Click Create Security Group button from the dashboard top menu to create a new security group for your ELBv2 load balancer.

05 In the Create Security Group dialog box, provide the following details:

  1. In the Security group name box, enter a name for your new valid security group.
  2. In the Description box, provide a description to reflect the security group usage.
  3. From the VPC dropdown list, select the appropriate VPC ID.
  4. Inside the Inbound tab, click Add rule to add the required inbound rule(s) that will match your load balancer listeners configuration.
  5. Inside the Outbound tab, click Add rule to add the required outbound rule(s) that will match your load balancer listeners configuration.
  6. Click Create button to create the new security group.

06 In the left navigation panel, in the LOAD BALANCING section, choose Load Balancers.

07 Select the load balancer that you want to reconfigure.

08 Select Description tab from the dashboard bottom panel to view the ELBv2 resource description.

09 In the Security section, click Edit security groups to attach/detach security groups to/from your load balancer.

10 Within Edit security groups dialog box, check the security group created at step no. 5 to attach the new security group to the load balancer and uncheck the invalid/insecure security group identified during the audit process to detach it from the selected load balancer. Click Save to apply the changes.

11 Repeat steps no. 4 – 10 to replace invalid/insecure security group associated with other AWS ELBv2 load balancers provisioned in the current region.

12 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run create-security-group command (OSX/Linux/UNIX) to set up a new security group that will replace the invalid/insecure one attached to your load balancer. The following command example creates a security group called "cc-web-alb-sg" inside a VPC identified with the ID vpc-12345678 available within the US East region: 

aws ec2 create-security-group
	--region us-east-1
	--group-name cc-web-alb-sg
	--description "Cloud Conformity Web ALB SG"
	--vpc-id vpc-12345678

02 The command output should return the new security group ID: 

{
    "GroupId": "sg-abcd1234"
}

03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier, to define the necessary inbound rules, that will match the load balancer listeners. Run the command as many times as needed by changing accordingly the --protocol, --port and --cidr parameters values (the command does not produce an output): 

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-abcd1234
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

04 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier, to define the necessary outbound rules, that will match the load balancer listeners. Run the command as many times as needed by changing accordingly the --ip-permissions parameter values (the command does not return an output): 

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-abcd1234
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

05 Run set-security-groups command (OSX/Linux/UNIX) to replace the existing (invalid/insecure) security group(s) associated with the selected ELBv2 load balancer: 

aws elbv2 set-security-groups
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-prod-alb/aaaabbbbccccdddd
	--security-groups sg-abcd1234

06 The command output should return the ID of the associated security group: 

{
    "SecurityGroupIds": [
        "sg-abcd1234"
    ]
}

07 Repeat steps no. 1 – 6 to replace invalid/insecure security group associated with other AWS ELBv2 load balancers provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 for other regions.

References

Publication date Feb 5, 2018

Related ELBv2 rules