Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Deletion Protection

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Deletion Protection safety feature is enabled for your Amazon Gateway Load Balancers (GWLBs) in order to protect the load balancers from being accidentally deleted.

Reliability

Amazon Gateway Load Balancer (GWLB) is an AWS cloud service that makes it easy and cost-effective to deploy, scale, and manage the availability of third-party virtual appliances such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems in the cloud. By default, Deletion Protection is disabled. With the Deletion Protection feature enabled, you have the guarantee that your Gateway Load Balancers can't be accidentally deleted and make sure that your load-balanced systems remain safe.


Audit

To determine if your Amazon Gateway Load Balancers are protected against accidental deletion, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Select the Gateway Load Balancer that you want to examine. A Gateway Load Balancer (GWLB) has the Type attribute value set to gateway in the Type column.

05 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

06 In the Attributes section, check the Deletion protection attribute value. If the attribute value is set to Disabled, the Deletion Protection safety feature is not enabled for the selected Amazon Gateway Load Balancer (GWLB).

07 Repeat steps no. 5 – 7 for each Gateway Load Balancer deployed within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Gateway Load Balancer available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `gateway`)].LoadBalancerArn'

02 The command output should return an array with the requested load balancer ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-production-gwlb/abcdabcdabcdabcd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-staging-gwlb/abcd1234abcd1234"
]

03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Amazon Gateway Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the Deletion Protection feature status available for the selected load balancer:

aws elbv2 describe-load-balancer-attributes
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-production-gwlb/abcdabcdabcdabcd
  --query 'Attributes[?(Key == `deletion_protection.enabled`)].Value | []'

04 The command output should return the requested configuration status (true for enabled, false for disabled):

[
  "false"
]

If the describe-load-balancer-attributes command output returns "false", as shown in the output example above, the Deletion Protection safety feature is not enabled for the selected Amazon Gateway Load Balancer (GWLB).

05 Repeat steps no. 3 and 4 for each Gateway Load Balancer deployed in the selected AWS cloud region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Deletion Protection safety feature for your Amazon Gateway Load Balancers (GWLBs), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable Deletion Protection for Gateway Load Balancers",
  "Resources": {
    "ApplicationLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties" : {
        "Name" : "cc-gateway-load-balancer",
        "Type" : "gateway",
        "IpAddressType" : "ipv4",
        "Subnets" : [ "subnet-0abcdabcdabcdabcd", "subnet-0abcd1234abcd1234" ],
        "LoadBalancerAttributes" : [
          {
            "Key" : "deletion_protection.enabled",
            "Value" : "true"
          }
        ]
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Deletion Protection for Gateway Load Balancers
Resources:
  ApplicationLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: cc-gateway-load-balancer
      Type: gateway
      IpAddressType: ipv4
      Subnets:
        - subnet-0abcdabcdabcdabcd
        - subnet-0abcd1234abcd1234
      LoadBalancerAttributes:
        - Key: deletion_protection.enabled
          Value: 'true'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_lb" "gateway-load-balancer" {
  name               = "cc-gateway-load-balancer"
  load_balancer_type = "gateway"
  ip_address_type    = "ipv4"
  subnets            = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]


  # Enable Deletion Protection for Gateway Load Balancers
  enable_deletion_protection = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Select the Gateway Load Balancer that you want to reconfigure. A Gateway Load Balancer (GWLB) has the Type attribute value set to gatewayin the Type column.

05 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

06 In the Attributes section, choose Edit attributes to modify the load balancer configuration attributes.

07 In the Edit load balancer attributes configuration box, select the Enable checkbox next to Deletion protection, to enable the Deletion Protection feature for the selected Amazon Gateway Load Balancer. Choose Save to apply the changes.

08 Repeat steps no. 5 – 8 for each Gateway Load Balancer that you want to reconfigure, available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Gateway Load Balancer (GWLB) that you want to reconfigure as the identifier parameter, to enable the Deletion Protection safety feature for the selected load balancer:

aws elbv2 modify-load-balancer-attributes
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-production-gwlb/abcdabcdabcdabcd
  --attributes Key=deletion_protection.enabled,Value=true

02 The command output should return the configuration attributes currently enabled for the modified load balancer:

{
  "Attributes": [
      {
          "Key": "deletion_protection.enabled",
          "Value": "true"
      },
      {
          "Key": "load_balancing.cross_zone.enabled",
          "Value": "true"
      }
  ]
}

03 Repeat steps no. 1 and 2 for each Gateway Load Balancer that you want to reconfigure, deployed in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Feb 6, 2021