Skip to main content

lacework-global-483

Elastic Load Balancers (ELB) should have a secure security group

Description

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. Assign Elastic Load Balancers (ELBs) inside Virtual Private Clouds (VPCs) to security groups to prevent unauthorized access.

In addition, best practices recommend that the security group restricts the traffic to only the necessary IPs and ports. A violation exists when Elastic Load Balancers are not protected by security groups.

Remediation

For application load balancers:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Compute > EC2.
  4. In the left frame of the EC2 Dashboard, select Load Balancing > Load Balancers.
  5. Select the Load Balancer that has the violation reported by Lacework.
  6. Under the description, click the attached security-group.
  7. Edit the inbound rules and restrict access to only the required IPs and ports.
  8. Edit the outbound rules and restrict egress to only the required IPs and ports.

For gateway/network load balancers:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Compute > EC2 > Instances.
  4. Click the instance that is being load balanced.
  5. Navigate to Security and select the link under the Security groups subheading.
  6. Access the Inbound and Outbound tabs.
  7. Update rules as required. Inbound rules must have a restricted IP and match the port on the ELB listener's load balancer port. Outbound rules must match the port on the ELB listener's instance port.

Note: For gateway LBs, ensure that the load balancer allows User Datagram Protocol (UDP) traffic on port 6081. The GENEVE protocol requires this, along with port 6081.

Last updated on