AWS_ELB_77
In order to implement the principle of least privilege and reduce the possibility of a breach. Always make sure Application Load Balancers are not exposed incoming traffic from 0.0.0.0/0 to known UDP ports.
From Portal:
A)
1. Sign in to the AWS Management Console.Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/
2. In the NETWORK & SECURITY tab, choose Security Groups.
3. Create a new Security group, add an appropriate scope other than 0.0.0.0/0 in the inbound rules.
B)
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Select the load balancer.
4. On the Description tab, under Security, choose Edit security groups.
5. To associate a security group with your load balancer, select it. To remove a security group from your load balancer, clear it.
6. Choose Save.
From Command Line:
1. Create a new security group to replace the insecure security which is currently attached to the ALB.
aws ec2 create-security-group–region REGION –group-name SG_NAME –description “SECURE SG” –vpc-id VPC_ID
2. Add an inbound rule with appropriate scope/cidr range in order to limit the incoming traffic.
aws ec2 authorize-security-group-ingress –group-name MySecurityGroup –protocol udp –port PORT –cidr CIDR_BLOCK
3. Use set-security-groups command to replace the existing security group with new secure one.
aws elbv2 set-security-groups –region REGION –load-balancer-arn ALB_ARN –security-groups SG_ID
From CFT
Use the link from references to Cloudformation resource load balancer and configure the security group with appropriate settings in order to limit the incoming traffic.
From TF:
Use the link from references to Terraform resource load balancer and configure the security group with appropriate settings in order to limit the incoming traffic.
References:
1. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html
2. https://docs.aws.amazon.com/cli/latest/reference/elbv2/set-security-groups.html
3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-loadbalancer.html#cfn-elasticloadbalancingv2-loadbalancer-securitygroups
4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
Want to Know More?
Learn how our partners are managing their cloud security and compliance with Cloudlytics.
I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.