Skip to main content

More Info:

All Amazon internet-facing load balancers (Classic Load Balancers and Application Load Balancers) provisioned within your AWS account should be regularly reviewed for security purposes.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

  • Remediation

Remediation

Using Console

The following are the step by step instructions to remediate the misconfiguration “Internet Facing ELBs Should Be Regularly Reviewed” in AWS using the AWS console:
  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 service.
  3. Click on the “Load Balancers” option in the left-hand menu.
  4. Select the Internet-facing ELB that needs to be reviewed.
  5. Click on the “Listeners” tab.
  6. Review the protocol and port configuration for each listener. Ensure that they are configured according to your organization’s security policies.
  7. Click on the “Security” tab.
  8. Review the security groups associated with the ELB. Ensure that only necessary ports are open and that the source IP ranges are restricted to only authorized IPs.
  9. Click on the “Instances” tab.
  10. Review the instances associated with the ELB. Ensure that they are running the latest security patches and that they are not exposing any unnecessary services.
  11. Click on the “Health Check” tab.
  12. Review the health check configuration. Ensure that it is configured according to your organization’s security policies.
  13. Click on the “Attributes” tab.
  14. Review the attributes associated with the ELB. Ensure that they are configured according to your organization’s security policies.
  15. Make any necessary changes to the ELB configuration.
  16. Click on the “Save” button to save the changes.
By following the above steps, the misconfiguration “Internet Facing ELBs Should Be Regularly Reviewed” can be remediated in AWS using the AWS console.

To remediate the misconfiguration for AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI and run the following command to list all the internet-facing Elastic Load Balancers (ELBs) in your account: 
    aws elbv2 describe-load-balancers --query "LoadBalancers[?Scheme=='internet-facing'].LoadBalancerArn" --output text
  2. Review the output and identify any ELBs that are no longer needed or should not be internet-facing.
  3. For each internet-facing ELB that needs to be reviewed, run the following command to modify the scheme to internal: 
    aws elbv2 modify-load-balancer-attributes --load-balancer-arn <ELB_ARN> --attributes Key=scheme,Value=internal
    Replace <ELB_ARN> with the ARN of the ELB that needs to be modified.
  4. Verify that the ELB’s scheme has been changed to internal by running the following command: 
    aws elbv2 describe-load-balancers --load-balancer-arns <ELB_ARN> --query "LoadBalancers[0].Scheme" --output text
    Replace <ELB_ARN> with the ARN of the ELB that was modified.
  5. Repeat steps 3-4 for each internet-facing ELB that needs to be reviewed.
  6. Once all internet-facing ELBs have been reviewed and modified, run the first command again to verify that all internet-facing ELBs have been remediated.
To remediate the misconfiguration of Internet Facing ELBs in AWS, you can use the following Python script:
import boto3

# Create a boto3 client for ELB
elb_client = boto3.client('elbv2')

# Define the ELB ARN
elb_arn = 'arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188'

# Set the desired security group ID
security_group_id = 'sg-1234567890abcdef'

# Update the ELB security group
response = elb_client.set_security_groups(
    LoadBalancerArn=elb_arn,
    SecurityGroups=[
        security_group_id,
    ]
)

# Print the response
print(response)
This script uses the boto3 library to create a client for Elastic Load Balancing (ELB) in AWS. It then sets the desired security group ID for the specified ELB ARN using the set_security_groups function. Finally, it prints the response from the API call.To use this script, replace the elb_arn and security_group_id values with the appropriate values for your environment. You can then run the script to remediate the misconfiguration of Internet Facing ELBs in AWS.

Additional Reading:

I