ELB load balancers should be internal
- GG_ID: GG_IAC_0050
- Severity: HIGH
- Complexity: MEDIUM
- Categories: NETWORK
- Providers: AWS
- Potential data exposure: True
- Visible in logs: True
- User interaction required: False
- Privileges required: True
Description#
Elastic Load Balancing automatically distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones.
When you create a load balancer in Virtual Private Cloud (VPC), you must choose whether to make it an internal load balancer or an internet-facing load balancer. If you want clients to be able to connect to your load balancer who are not on the VPC, you need to set it as internet-facing. However, this could lead to accidental exposure of internal resources. You should ensure that the load balancer needs to be connected to the wider internet.
Impact#
- possible distributed denial of service (DDoS).
- potential exposure of private endpoints.
Remediation guidelines#
- AWS is retiring the EC2-Classic network on August 15th 2022. If the load balancer is in that network, migrate it to a VPC and configure it as internal.
- If the internet-facing load balancer has a legitimate use-case, configure it to use a secure HTTPS listener.
- If not, create a new internal load balancer and delete the previous one.