Ensure that all internet-facing Application Load Balancers (ALBs) and Network Load Balancers (NLBs) available within your AWS cloud account are regularly reviewed for security purposes. An internet-facing load balancer has a publicly resolvable DNS name (identified by an A record), required to route requests/connections from clients over the Internet to the target instances registered with the ELBv2 load balancer. On the other hand, an internal ELBv2 load balancer is commonly used within a multi-tier architecture, where you have front-end web servers that perform requests to an internal load balancer, using private IP addresses that are resolved from the internal load balancer's DNS name. Trend Micro Cloud One™ – Conformity strongly recommends reviewing your Application Load Balancers and Network Load Balancers on a regular basis to ensure that the scheme used by each ELBv2 resource fits the necessary requirements from the security standpoint.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using the right scheme (internal or internet-facing) for your Application Load Balancers (ALBs) and Network Load Balancers (NLBs) is crucial for maintaining the security of your load balancing cloud architecture.
Audit
To identify the scheme used by the ELBv2 load balancers deployed within your AWS account, perform the following actions:
Remediation / Resolution
Review your internet-facing ELBv2 load balancers and change the scheme configuration for the load balancers that are not following the regulatory security requirements. To change the scheme for your Application/Network Load Balancers you need to re-create them with the internal scheme configuration. To create internal ELBv2 load balancers, perform the following actions:
For Application Load Balancers (ALBs):For Network Load Balancers (NLBs):
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Application Load Balancers
- Network Load Balancers
- AWS Command Line Interface (CLI) Documentation
- elbv2
- describe-load-balancers
- create-load-balancer
- create-listener
- CloudFormation Documentation
- Elastic Load Balancing V2 resource type reference
- Terraform Documentation
- AWS Provider
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Internet Facing ELBv2 Load Balancers
Risk Level: High