Check your Elastic Load Balancer (ELB) security layer for at least one valid security group that restrict access only to the ports defined in the load balancer listeners configuration.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
If your Elastic Load Balancer (ELB) is configured with a missing security group or a security group that grant access to any ports that are not defined in the listener configuration, the risk of data loss and unauthorized access increases.
If your ELB is created without specifying a security group, it is automatically associated with an invalid security group (VPC default security group).
If a security group associated with an existing ELB is deleted, the load balancer will stop working as expected.
Case A: to determine if your Elastic Load Balancer use invalid security groups, perform the following:
Case B: to determine if your Elastic Load Balancer use any insecure security groups, perform the following:
To update an insecure or invalid security group assigned to your load balancer, perform the following: