ELB load balancers should be internal
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | MEDIUM | AWS | NETWORK |
Description
This rule acts as a safety to ensure you do not accidentally expose internal resources.
Elastic Load Balancing automatically distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones.
When you create a load balancer in Virtual Private Cloud (VPC), you must choose whether to make it an internal load balancer or an internet-facing load balancer. If you want clients to be able to connect to your load balancer who are not on the VPC, you need to set it as internet-facing. However, this could lead to accidental exposure of internal resources. You should ensure that the load balancer needs to be connected to the wider internet.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | True | False | True |
- possible distributed denial of service (DDoS).
- potential exposure of private endpoints.
Remediation guidelines
- AWS is retiring the EC2-Classic network on August 15th 2022. If the load balancer is in that network, migrate it to a VPC and configure it as internal.
- If the internet-facing load balancer has a legitimate use-case, configure it to use a secure HTTPS listener.
- If not, create a new internal load balancer and delete the previous one.
References
Was this page helpful?
