lacework-global-482
Classic LBs should have a valid and secure security group
Description
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Assign Classic Elastic Load Balancers (ELB) inside Virtual Private Clouds (VPCs) to security groups to prevent unauthorized access. In addition, best practices recommend that the security group restricts the traffic to only the necessary IPs and ports. A violation exists when Classic Elastic Load Balancers are not protected by security groups.
Remediation
If a Classic Elastic Load Balancer has an insecure security group, update security group rules or create a new security group.
Update the security group rules:
- Log in to the AWS Management Console.
- Click Services.
- Select Compute > EC2 > NETWORK & Security > Security Groups.
- Locate the insecure Security Group.
- Adjust the Inbound and Outbound rules as required. Inbound rules must have a restricted IP and match the port on the Classic ELB listener's load balancer port. Outbound rules must match the port on the Classic ELB listener's instance port.
OR
Create the security group to use for the Classic ELB:
- Log in to the AWS Management Console.
- Click Services.
- Select Compute > EC2 > NETWORK & Security > Security Groups.
- Click Create Security Group.
- Fill in the fields. In the Inbound and Outbound tabs, create rules as required. Inbound rules must have a restricted IP and match the port on the Classic ELB listener's load balancer port. Outbound rules must match the port on the Classic ELB listener's instance port.
Assign the new security group to the Classic ELB:
- Log in to the AWS Management Console.
- Click Services.
- Select Compute > EC2.
- Select Load Balancing > Load Balancers.
- Select the Load Balancer that has the violation reported by Lacework.
- Select the Description tab.
- Scroll down to Security > Source Security Group and click Edit security groups.
- Select the security group created in the previous step, deselect the old security group, and click Save.