AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Cloudanix

AWS ELB Audit

ELB should be configured to block HTTP connection and allow only HTTPS connections.

ELB Should Accept HTTPS Connections Only

ELB should be configured to block HTTP connection and allow only HTTPS connections.

ELB Should Have Logging Enabled

Load balancers should have request logging enabled. Logging requests to ELB endpoints is a helpful way of detecting and investigating potential attacks.

ELB Should Have WAF Enabled

WAF should be enabled so that this firewall will prevent malicious attackers to intrude into your system.

ELBs Should Not Have Insecure Ciphers

Insecure ciphers on ELBs should be checked. Various security vulnerabilities have rendered several ciphers insecure. Only the recommended ciphers should be used.

ELBs Should Have Deletion Protection Flag Enabled

Deletion Protection flag should be enabled in order to prevent accidental deletions.

ELBs Should Use Secure Listeners Only

ELBv2 load balancers should use only the secure listeners. A listener is a process that checks for connection requests, using the protocol and port that you configure.

ELBs Should Have Cross Zone Enabled

For higher availability and reliability, ELBs should work with cross zone nodes.

ELBs Should Drop Invalid HTTP Header

Invalid HTTP Headers in ELB should be dropped.

Minimum Number of EC2 Instances Should Be Configured For ELBs

Minimum number of instances should be configured for your Load Balancer to improve the reliability.

No Classic ELB Should Be In Use

Classic ELB is not recommended to be used. AWS has deprecated it and wants them to move to the alternatives.

Secure Listeners Should Be In App-tier ELBs

Your app-tier Elastic Load Balancer (ELB) listeners should be using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer.

Latest AWS Security Policy for SSL Negotiations Should Be Used For App-Tier ELBs

Your app-tier Elastic Load Balancers (ELBs) listeners should be using the latest AWS security policy for their SSL negotiation configuration

Right Health Check Configurations Should Be Used For App-Tier ELBs

Improve the reliability of the applications behind your app-tier ELBs by using the appropriate health check configuration.

ELBs Should Have Connection Draining Enabled

Elastic Load Balancer should not send any new requests to the unhealthy instance if an EC2 backend instance fails health checks

ELBs Should Be Evenly Distributed over AZs

EC2 instances registered to your Amazon Elastic Load Balancing (ELB) should be evenly distributed across all Availability Zones (AZs) in order to improve the ELBs configuration reliability

ELB Security Layer Should Have Atleast One Valid Security Group

Check Elastic Load Balancer (ELB) security layer for at least one valid security group that restrict access only to the ports defined in the load balancer listeners configuration

ELBs Must Use Latest AWS Security Policies

Elastic Load Balancers should be using the latest AWS predefined security policies.

No Idle ELBs Should Be Present

Amazon ELBs should not be idle. Idle ELBs should be terminated to help lower the cost of your monthly AWS bill.

Internet Facing ELBs Should Be Regularly Reviewed

All Amazon internet-facing load balancers (Classic Load Balancers and Application Load Balancers) provisioned within your AWS account should be regularly reviewed for security purposes.

No Unused ELBs Should Be Present

You should not have unused Elastic Load Balancers in your AWS account. Unused ELBs should be deleted to help lower the cost of your monthly AWS bill.

Secure Listeners in Web-tier ELBs

Your web-tier Elastic Load Balancer (ELB) listeners should be using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer.

Latest AWS Security Policy for SSL Negotiations Should Be Used For Web-Tier ELBs

Your web-tier Elastic Load Balancers (ELBs) listeners should be using the latest AWS security policy for their SSL negotiation configuration

Right Health Check Configurations Should Be Used For Web-Tier ELBs

Improve the reliability of the applications behind your web-tier ELBs by using the appropriate health check configuration.

ELBs Should Not Have Insecure Configurations

Your Elastic Load Balancers (ELBs) listeners should not have insecure configurations. Only HTTPS or SSL should be used to encrypt the communication between the client and your load balancers.

ALBs Should Not Have Insecure Configurations

Your Application Load Balancers (ALBs) listeners should not have insecure configurations.

ALBs Should Have Latest SSL/TLS Configurations

Your Amazon ALBs should be using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.

NLBs Should Not Have Insecure Configurations

Your Amazon Network Load Balancers (NLBs) should be configured to terminate TLS traffic in order to optimize the performance of the backend servers.

NLBs Should Have Latest SSL/TLS Configurations

Your Amazon Network Load Balancers (NLBs) should be using the latest recommended predefined security policy for TLS negotiation configuration in order to protect their front-end connections against TLS vulnerabilities and meet security requirements

cta-image

Secure Every Layer of Your Cloud Stack with Cloudanix

Unify your security workflows with Cloudanix — one dashboard for misconfigurations, drift detection, CI/CD, and identity protection.

Get Started

CLOUDANIX

Insights from Cloudanix

Explore guides, checklists, and blogs that simplify cloud security and help you secure your infrastructure.