AWS_ELB_81

Ensure no ELB allows incoming traffic from 0.0.0.0/0 to known UDP port

Description

In order to implement the principle of least privilege and reduce the possibility of a breach. Always make sure ELBS are not exposed incoming traffic from 0.0.0.0/0 to known UDP ports.

Remediation

From Portal:
A)
1. Sign in to the AWS Management Console.Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
2. In the NETWORK & SECURITY tab, choose Security Groups.
3. Create a new Security group, add an appropriate scope other than 0.0.0.0/0 in the inbound rules.
B)
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Select the load balancer.
4. On the Description tab, under Security, choose Edit security groups.
5. To associate a security group with your load balancer, select it. To remove a security group from your load balancer, clear it.
6. Choose Save.

From Command Line:
1. Create a new security group to replace the insecure security which is currently attached to the ELB.
aws ec2 create-security-group–region REGION –group-name SG_NAME –description “SECURE SG” –vpc-id VPC_ID
2. Add an inbound rule with appropriate scope/cidr range in order to limit the incoming traffic.
aws ec2 authorize-security-group-ingress –group-name MySecurityGroup –protocol udp –port PORT –cidr CIDR_BLOCK
2. Use the following apply-security-groups-to-load-balancer command to associate a security group with a load balancer in a VPC. The specified security groups override the previously associated security groups.
aws elb apply-security-groups-to-load-balancer –load-balancer-name my-loadbalancer –security-groups sg-ID

From CFT:
Use the link from references to Cloudformation resource load balancer and configure the security group with appropriate settings in order to limit the incoming traffic.

From TF:
Use the link from references to Terraform resource load balancer and configure the security group with appropriate settings in order to limit the incoming traffic.

References:
1. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elb/apply-security-groups-to-load-balancer.html
3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html
4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elb

Service

ELB

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!