Internet Facing ELBs

Risk Level: High (not acceptable risk)

Rule ID: ELB-013

Ensure that all the internet-facing Classic Load Balancers (CLBs) available within your AWS account are regularly reviewed for security purposes. An internet-facing ELB load balancer has a publicly resolvable DNS name (identified by an A record), required to route requests from clients over the Internet to the EC2 instances registered with the load balancer. In opposition, an internal ELB load balancer is commonly used within a multi-tier architecture, where you have front-end web servers that perform requests to an internal load balancer, using private IP addresses that are resolved from the internal load balancer's DNS name. Trend Cloud One™ – Conformity strongly recommends reviewing your Classic Load Balancers on a regular basis to ensure that the scheme used by each ELB resource fits the necessary requirements from the security standpoint.

This rule can help you with the following compliance standards:

PCI
APRA
MAS
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using the right scheme (internal or internet-facing) for your Classic Load Balancers (CLBs) is vital for maintaining the security of your load balancing cloud architecture.

Audit

To identify the scheme used by the Classic Load Balancers deployed within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Classic Load Balancer that you want to examine.

06 Choose the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

07 In the Basic Configuration section, check the Schemeconfiguration attribute value. If the attribute value is set to internet-facing, the selected Classic Load Balancer is internet-facing and routes requests from clients over the Internet to the registered EC2 instances, therefore the load balancer must be reviewed from the security standpoint.

08 Repeat steps no. 5 – 7 for each Classic Load Balancer provisioned within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region:

aws elb describe-load-balancers
  --region us-east-1
  --output table
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

02 The command output should return a table with the requested load balancer names:

-------------------------------
|    DescribeLoadBalancers    |
+-----------------------------+
|  cc-web-prod-load-balancer  |
|  cc-frontend-load-balancer  |
+-----------------------------+

03 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the scheme name used by the selected ELB resource:

aws elb describe-load-balancers
  --region us-east-1
  --load-balancer-name cc-web-prod-load-balancer
  --query 'LoadBalancerDescriptions[*].Scheme'

04 The command output should return the name of the scheme used by the selected load balancer:

[
	"internet-facing"
]

If the describe-load-balancers command output returns "internet-facing", as shown in the output example above, the selected Classic Load Balancer is internet-facing and routes requests from clients over the Internet to the registered EC2 instances, therefore the load balancer must be reviewed from the security standpoint.

05 Repeat steps no. 3 and 4 to determine the scheme used by other Amazon ELB load balancers available in the current AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation/Resolution:

Review your internet-facing ELB load balancers and change the scheme configuration for the load balancers that are not following the regulatory security requirements. To change the scheme for your Classic Load Balancers you need to re-create them with the internal scheme configuration. To create internal ELB load balancers, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"ClassicLoadBalancer": {
			"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
			"Properties": {
				"LoadBalancerName": "cc-internal-prod-load-balancer",
				"SecurityGroups": [
					"sg-0abcd1234abcd1234",
					"sg-01234abcd1234abcd"
				],
				"Subnets": [
					"subnet-01234abcd1234abcd",
					"subnet-0abcd1234abcd1234"
				],
				"Instances": [
					"i-0abcd1234abcd1234",
					"i-01234abcd1234abcd"
				],
				"Listeners": [
					{
						"InstancePort": "8080",
						"InstanceProtocol": "HTTP",
						"LoadBalancerPort": "8080",
						"Protocol": "HTTP",
						"PolicyNames": []
					}
				],
				"AvailabilityZones": [
					"us-east-1a",
					"us-east-1b"
				],
				"Scheme": "internal"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	ClassicLoadBalancer:
		Type: AWS::ElasticLoadBalancing::LoadBalancer
		Properties:
		LoadBalancerName: cc-internal-prod-load-balancer
		SecurityGroups:
			- sg-0abcd1234abcd1234
			- sg-01234abcd1234abcd
		Subnets:
			- subnet-01234abcd1234abcd
			- subnet-0abcd1234abcd1234
		Instances:
			- i-0abcd1234abcd1234
			- i-01234abcd1234abcd
		Listeners:
			- InstancePort: '8080'
			InstanceProtocol: HTTP
			LoadBalancerPort: '8080'
			Protocol: HTTP
			PolicyNames: []
		AvailabilityZones:
			- us-east-1a
			- us-east-1b
		Scheme: internal

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_elb" "aws-load-balancer" {
	name                = "cc-internal-prod-load-balancer"
	instances           = ["i-0abcd1234abcd1234", "i-01234abcd1234abcd"]
	subnets             = ["subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234"]
	security_groups     = ["sg-0abcd1234abcd1234", "sg-01234abcd1234abcd"]
	availability_zones  = ["us-east-1a", "us-east-1b"]
	listener {
		instance_port     = 8080
		instance_protocol = "http"
		lb_port           = 8080
		lb_protocol       = "http"
	}
	internal            = true

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Choose Create Load Balancer from the console top menu to initiate the setup process.

05 On the Select load balancer type page, choose Classic Load Balancer - previous generationto set up a new Classic Load Balancer, then select Createto start the setup.

06 On the load balancer setup page, perform the following operations:

For Step 1: Define Load Balancer, provide a unique name for your new load balancer, select the target VPC, select Create an internal load balancer to deploy an internal load balancer, and set up the required listener configuration. Choose Next: Assign Security Groups to continue the setup.
For Step 2: Assign Security Groups, choose one or more existing security groups for the new load balancer or create new ones. These security groups should act as a set of firewall rules that control the traffic to your load balancer. Choose Next: Configure Security Settings to continue.
For Step 3: Configure Security Settings, create and configure the necessary HTTPS listeners for your new Classic Load Balancer. Choose Next: Configure Health Checkto continue.
For Step 4: Configure Health Check, configure the health check settings to meet your specific needs. Choose Next: Add EC2 instances to continue the setup.
For Step 5: Add EC2 Instances, add the necessary Amazon EC2 instances to your load balancer. Configure Availability Zone (AZ) distribution. Choose Next: Add EC2 instancesto continue the setup.
For Step 6: Add Tags, apply tags to your load balancer to help organize and identify the resource. Choose Review and Create to continue.
For Step 7: Review, review your load balancer configuration, then choose Create to deploy your new, internal Classic Load Balancer.
Choose Close to return to the Amazon EC2 console.

07 If required, repeat steps no. 4 – 6 to deploy more internal Classic Load Balancer within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-security-group command (OSX/Linux/UNIX) to create the security group that will be used by the internal Classic Load Balancer. The following command example creates a security group named "cc-elb-security-group" inside a VPC identified with the ID vpc-abcd1234abcd1234, available within the US East (N. Virginia) region:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-elb-security-group
  --description "Classic Load Balancer Security Group"
  --vpc-id vpc-abcd1234abcd234

02 The command output should return the ID of the new security group:

{
	"GroupId": "sg-01234abcd1234abcd"
}

03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as the identifier parameter, to set up the inbound rules based on your application requirements (the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 8080
  --cidr 0.0.0.0/0

04 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter to configure the outbound rules based on your application needs (the command does not return an output):

aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 8080, "ToPort": 8080, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

05 Run create-load-balancer command (OSX/Linux/UNIX) to create a new, internal Classic Load Balancer in the selected AWS region:

aws elb create-load-balancer
  --region us-east-1
  --load-balancer-name cc-internal-prod-load-balancer
  --listeners "Protocol=HTTP,LoadBalancerPort=8080,InstanceProtocol=HTTP,InstancePort=8080"
  --subnets "subnet-01234abcd1234abcd" "subnet-0abcd1234abcd1234"
  --security-groups sg-01234abcd1234abcd
  --scheme internal

06 The command output should return the DNS name for the new load balancer:

{
	"DNSName": "cc-internal-prod-load-balancer-123456789012.us-east-1.elb.amazonaws.com"
}

07 Run register-instances-with-load-balancer command (OSX/Linux/UNIX) to register the necessary EC2 instances with the internal Classic Load Balancer created at the previous steps:

aws elb register-instances-with-load-balancer
  --region us-east-1
  --load-balancer-name cc-internal-prod-load-balancer
  --instances i-0abcd1234abcd1234 i-01234abcd1234abcd

08 The command output should return the IDs of the backend instances registered with the new load balancer:

{
	"Instances": [
		{
			"InstanceId": "i-0abcd1234abcd1234"
		},
		{
			"InstanceId": "i-01234abcd1234abcd"
		}
	]
}

09 If required, repeat steps no. 5 – 8 to deploy more internal Classic Load Balancer in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Documentation
How Elastic Load Balancing works
Internet-facing Classic Load Balancers
Create an internal Classic Load Balancer

AWS Command Line Interface (CLI) Documentation
describe-load-balancers
create-load-balancer
register-instances-with-load-balancer
create-security-group
authorize-security-group-ingress
authorize-security-group-egress

AWS Blog(s)
Internal Elastic Load Balancers in the Virtual Private Cloud

Publication date Jul 12, 2017

Audit

Using AWS Console

Using AWS CLI

Remediation/Resolution:

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related ELB rules