01
Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all existing AWS ELBv2 load balancers available in the selected region:
aws elbv2 describe-load-balancers
--region us-east-1
--query 'LoadBalancers[*].LoadBalancerArn'
02
The command output should return a table with the requested Amazon Resource Names (ARNs):
[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-frontend-alb/aaaabbbbccccdddd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-web-internal-alb/aaaabbbbccccdddd"
]
03
Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the ALB that you want to examine as identifier and custom query filters to describe the selected load balancer listeners configuration details (protocol and port):
aws elbv2 describe-listeners
--region us-east-1
--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-prod-alb/aaaabbbbccccdddd
--query 'Listeners[*].[Protocol,Port]'
04
The command output should return the requested configuration information:
05
Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to expose the ID(s) of the security group(s) attached to the selected load balancer:
aws elbv2 describe-load-balancers
--region us-east-1
--load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-frontend-alb/aaaabbbbccccdddd
--query 'LoadBalancers[*].SecurityGroups[]'
06
The command output should return an array with the requested ID(s):
07
Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the security group returned at the previous step as identifier to list the security group configuration details (name, inbound/outbound rules, etc):
aws ec2 describe-security-groups
--region us-east-1
--group-ids sg-1234abcd
08
The command output should return the requested configuration information:
{
"SecurityGroups": [
{
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"PrefixListIds": [],
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
],
"Description": "ALB Web SG",
"IpPermissions": [
{
"PrefixListIds": [],
"FromPort": 80,
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": 80,
"IpProtocol": "tcp",
"UserIdGroupPairs": [],
"Ipv6Ranges": []
},
{
"IpProtocol": "-1",
"PrefixListIds": [],
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
],
"GroupName": "default",
"VpcId": "vpc-12345678",
"OwnerId": "123456789012",
"GroupId": "sg-1234abcd"
}
]
}
09
Based on the information returned at the previous step, perform the following checks:
-
If the GroupName attribute value is set to "default", as shown in the example above, it references the VPC’s default security group, therefore the selected security group is considered invalid.
-
If IpPermissions object contain inbound rules that do not match the listeners configuration returned at step no. 4, the selected security group is considered insecure.
-
If IpPermissionsEgress object contain outbound rules that do not match the listeners configuration returned at step no. 4, the selected security group is considered insecure.
10
Repeat steps no. 7 – 9 to check other security groups associated with the selected load balancer.
11
Repeat steps no. 3 – 10 to verify other Amazon ELBv2 load balancers, available in the current region, for invalid/insecure security groups.
12
Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 11 to perform the entire audit process for other regions.