Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ELBv2 ALB Security Group

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: ELBv2-006

Ensure that all Amazon Application Load Balancers (ALBs) available in your AWS cloud account are associated with security groups that restrict access only to the ports defined within the listener configuration associated with your load balancers.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using well-configured security groups for your Application Load Balancers (ALBs) can reduce substantially the risk of data loss and unauthorized access. Also, the security groups must be valid, because when a load balancer is created without specifying a security group, the load balancer is automatically associated with the VPC’s default security group, which is considered invalid.


Audit

To determine if your Amazon Application Load Balancers (ALBs) are using insecure and invalid security groups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list all the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to examine.

06 Choose the Listeners tab from the console bottom panel and check the protocol and port for each configured listener, available in the Listener ID column.

07 Choose the Description tab from the console bottom panel to access the load balancer configuration information.

08 In the Security section, click on the ID (link) of the security group that you want to examine.

09 On the selected security group configuration page, perform the following checks:

  1. Select the Details tab from the console bottom panel and check the name of the security group listed as value for the Security group name attribute. If the security group name is default, the associated security group is considered invalid.
  2. Choose the Inbound rules tab from the console bottom panel and check the values available in the Protocol and Port range columns for each configured inbound rule. Compare the values listed in the Protocol and Port range columns with the listener protocol and port identified at step no. 6. If one or more inbound rules don't match the listener configuration identified at step no. 6, the selected security group is not secure.

10 Repeat steps no. 8 and 9 for each security group associated with the selected load balancer.

11 Repeat steps no. 5 – 10 for each Application Load Balancer provisioned within the current AWS region.

12 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Application Load Balancer available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn | []'

02 The command output should return an array with the requested load balancer ARN(s):

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-load-balancer/aabbccddaabbccdd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-frontend-load-balancer/abcdabcdabcdabcd"
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the connection protocol and port of each listener configured for the selected load balancer:

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-load-balancer/aabbccddaabbccdd
  --query 'Listeners[*].[Protocol,Port]'

04 The command output should return the requested configuration information:

[
	"HTTP",
	80
]

05 Run describe-load-balancers command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer that you want to examine as the identifier parameter, to describe the ID(s) of the security group(s) associated with the selected load balancer:

aws elbv2 describe-load-balancers
  --region us-east-1
  --load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-load-balancer/aabbccddaabbccdd
  --query 'LoadBalancers[*].SecurityGroups[]'

06 The command output should return an array with the requested security group ID(s):

[
	"sg-0abcd1234abcd1234"
]

07 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the security group returned at the previous step as the identifier parameter to list the security group configuration details (name, inbound and outbound rules, etc.):

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-0abcd1234abcd1234

08 The command output should return the requested configuration information:

{
	"SecurityGroups": [
		{
			"Description": "default VPC security group",
			"GroupName": "default",
			"IpPermissions": [
				{
					"IpProtocol": "-1",
					"IpRanges": [],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"UserIdGroupPairs": [
						{
							"GroupId": "sg-0abcd1234abcd1234",
							"UserId": "123456789012"
						}
					]
				}
			],
			"OwnerId": "123456789012",
			"GroupId": "sg-0abcd1234abcd1234",
			"IpPermissionsEgress": [
				{
					"IpProtocol": "-1",
					"IpRanges": [
						{
							"CidrIp": "0.0.0.0/0"
						}
					],
					"Ipv6Ranges": [],
					"PrefixListIds": [],
					"UserIdGroupPairs": []
				}
			],
			"Tags": [
				{
					"Key": "Name",
					"Value": "default-security-group"
				}
			],
			"VpcId": "vpc-0abcdabcdabcdabcd"
		}
	]
}

09 Based on the information returned at the previous step, perform the following checks:

  1. If the "GroupName" attribute value is set to "default", (i.e. VPC’s default security group), the associated security group is considered invalid.
  2. If the "IpPermissions"object contains inbound rules that don't match the listener configuration returned at step no. 4, the selected security group is not secure.

10 Repeat steps no. 7 – 9 for each security group associated with the selected load balancer.

11 Repeat steps no. 3 – 10 for each Application Load Balancer provisioned in the selected AWS region.

12 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To replace any invalid and/or insecure security groups associated with your Amazon Application Load Balancers (ALBs), perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Set Compliant Security Group for Application Load Balancer",
	"Resources": {
		"ApplicationLoadBalancer": {
			"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
			"Properties" : {
				"Name" : "cc-internet-facing-load-balancer",
				"Type" : "application",
				"Scheme" : "internet-facing",
				"IpAddressType" : "ipv4",
				"Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ],
				"SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Set Compliant Security Group for Application Load Balancer
	Resources:
		ApplicationLoadBalancer:
		Type: AWS::ElasticLoadBalancingV2::LoadBalancer
		Properties:
			Name: cc-internet-facing-load-balancer
			Type: application
			Scheme: internet-facing
			IpAddressType: ipv4
			Subnets:
			- subnet-01234abcd1234abcd
			- subnet-0abcd1234abcd1234
			SecurityGroups:
			- sg-0abcdabcdabcdabcd

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
	name               = "cc-internet-facing-load-balancer"
	load_balancer_type = "application"
	internal           = false
	ip_address_type    = "ipv4"
	subnets            = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]

	# Set Compliant Security Group for Application Load Balancer
	security_groups    = ["sg-0abcdabcdabcdabcd"]

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 To create a compliant security group, click on the Create security group button from the console top menu to initiate the setup process.

05 On the Create security group setup page, provide the following information:

  1. For Security group name, provide a unique name for your new security group.
  2. For Description, provide a short description that reflects the security group usage.
  3. Choose the appropriate VPC network from the VPC dropdown list.
  4. In the Inbound rules section, choose Add rule to define the inbound/ingress rule(s) required to allow access to the associated load balancer. The inbound rule(s) must match your load balancer listener(s) configuration (protocol and port).
  5. In the Tags – optional section, use the Add new tag button to apply tag sets.
  6. Choose Create security group to create your new, compliant security group.

06 Replace the non-compliant security group with the new one within your Application Load Balancer (ALB) configuration. To replace the required resource, perform the following actions:

  1. In the main navigation panel, under Load Balancing, choose Load Balancers.
  2. Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list all the Application Load Balancers available in the current region.
  3. Select the Application Load Balancer (ALB) that you want to reconfigure.
  4. Select the Description tab and choose Edit security groups in the Security section.
  5. In the Edit security groups configuration box, select the security group created at step no. 5 to attach the new and compliant security group to the load balancer and deselect the insecure/invalid security group identified during the Audit process to detach the resource from the selected load balancer. Choose Save to apply the changes.

07 Repeat steps no. 3 – 6 for each Application Load Balancer that you want to reconfigure, available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-security-group command (OSX/Linux/UNIX) to create a compliant security group for your Application Load Balancer (ALB). This will replace the insecure/invalid security group attached to your load balancer:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-alb-security-group
  --description "Compliant EC2 Security Group for Application Load Balancer"
  --vpc-id vpc-0abcdabcdabcdabcd

02 The command output should return the ID of the new security group:

{
	"GroupId": "sg-0abcdabcdabcdabcd"
}

03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to create inbound/ingress rules that match the load balancer listeners. Run this command as many times as needed by changing accordingly the --protocol, --port and --cidr parameters values (the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-0abcdabcdabcdabcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0

04 Run set-security-groups command (OSX/Linux/UNIX) to replace the non-compliant (invalid) security group associated with your Application Load Balancer with the new, compliant one:

aws elbv2 set-security-groups
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-load-balancer/aabbccddaabbccdd
  --security-groups sg-0abcdabcdabcdabcd

05 The command output should return the ID of the associated security group:

{
	"SecurityGroupIds": [
		"sg-0abcdabcdabcdabcd"
	]
}

06 Repeat steps no. 1 – 6 for each Application Load Balancer that you want to reconfigure, available within the current AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Feb 5, 2018