AWS Misconfigurations
ELB Audit
Checks Performed
- ALB Desync Mitigation Mode
- No Classic ELB in Use
- ELBs Should Not Have Insecure Configurations
- Classic ELB Listeners Should Have At least One ACM Certificate
- ELB Security Layer Should Have Atleast One Valid Security Group
- ELBs Must Use Latest AWS Security Policies
- CLB With Desync Mitigation Mode Should Be Enabled
- Classic Load Balancer Has Multiple Availability Zones
- ALBs Should Not Have Insecure Configurations
- ALBs Should Have Latest SSL/TLS Configurations
- Right Health Check Configurations Should Be Used For App-Tier ELBs
- Latest AWS Security Policy for SSL Negotiations Should Be Used For App-Tier ELBs
- ELBs Should Be Evenly Distributed over AZs
- No Unused ELBs Should Be Present
- ELBs Should Have Connection Draining Enabled
- ELBs Should Have Cross Zone Enabled
- ELB Should Accept HTTPS Connections Only
- No Idle ELBs Should Be Present
- ELBs Should Not Have Insecure Ciphers
- ELBs Should Drop Invalid HTTP Header
- ELB Listeners Should Have At least One ACM Certificate
- ELB Should Have Logging Enabled
- NLBs Should Not Have Insecure Configurations
- NLBs Should Have Latest SSL/TLS Configurations
- ELBs Should Have Deletion Protection Flag Enabled
- ELBs Should Use Secure Listeners Only
- ELB Should Have WAF Enabled
- Right Health Check Configurations Should Be Used For Web-Tier ELBs
- Secure Listeners in Web-tier ELBs
- Latest AWS Security Policy for SSL Negotiations Should Be Used For Web-Tier ELBs
- FMS Policy Owner Specifies WebACLId
- Internet Facing ELBs Should Be Regularly Reviewed
- Minimum Number of EC2 Instances Should Be Configured For ELBs