Ensure that all Amazon Application Load Balancers (ALBs) available in your AWS cloud account are associated with security groups that restrict access only to the ports defined within the listener configuration associated with your load balancers.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using well-configured security groups for your Application Load Balancers (ALBs) can reduce substantially the risk of data loss and unauthorized access. Also, the security groups must be valid, because when a load balancer is created without specifying a security group, the load balancer is automatically associated with the VPC’s default security group, which is considered invalid.
Audit
To determine if your Amazon Application Load Balancers (ALBs) are using insecure and invalid security groups, perform the following actions:
Remediation / Resolution
To replace any invalid and/or insecure security groups associated with your Amazon Application Load Balancers (ALBs), perform the following actions:
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Application Load Balancers
- Network Load Balancers
- AWS Command Line Interface (CLI) Documentation
- elbv2
- describe-load-balancers
- describe-listeners
- set-security-groups
- create-security-group
- describe-security-groups
- authorize-security-group-ingress
- authorize-security-group-egress
- CloudFormation Documentation
- Elastic Load Balancing V2 resource type reference
- Terraform Documentation
- AWS Provider
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
ELBv2 ALB Security Group
Risk Level: High