AWS ELB Audit

Your number of Elastic Load Balancers can grow pretty fast - and so could be your painpoints.

What we do?

ELB Accepts HTTPS connections Only

ELB should be configured to block HTTP connection and allow only HTTPS connections.

Addresses: Security

Additional Reading:

ELB Logging Enabled

Load balancers must have request logging enabled. Logging requests to ELB endpoints is a helpful way of detecting and investigating potential attacks.

Addresses: Security, Operational Maturity

Additional Reading:

WAF Enabled

Enable WAF so that this firewall will prevent malicious attackers to intrude into your system.

Addresses: Security

No Insecure Ciphers

Check for insecure ciphers on ELBs. Various security vulnerabilities have rendered several ciphers insecure. Only the recommended ciphers should be used.

Addresses: Security

Additional Reading:

Deletion Protection Flag Enabled

Deletion Protection flag should be enabled in order to prevent accidental deletions.

Addresses: Reliability, Operational Maturity

Additional Reading:

Secure Listeners Only

ELBv2 load balancers shall use only the secure listeners. A listener is a process that checks for connection requests, using the protocol and port that you configure.

Addresses: Security

Additional Reading:

Cross Zone Enabled

For higher availability and reliability, ELBs shall work with cross zone nodes.

Addresses: Reliability

Additional Reading:

Invalid Http Header Dropped

Addresses: Security

Min EC2 instances available

Configure minimum number of instances available for your Load Balancer to improve the reliability.

Addresses: Reliability

No Classic ELB in-use

Classic ELB is not recommended to be used. AWS has deprecated it and wants them to move to the alternatives.

Addresses: Security, Operational Maturity, Reliability

Additional Reading:

Secure Listeners in App-tier only

Ensure that your app-tier Elastic Load Balancer (ELB) listeners are using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer.

Addresses: Security

Use latest AWS Security Policy for SSL negotiations

Ensure that your app-tier Elastic Load Balancers (ELBs) listeners are using the latest AWS security policy for their SSL negotiation configuration

Addresses: Security

Use the right health check configurations

Improve the reliability of the applications behind your app-tier ELBs by using the appropriate health check configuration.

Addresses: Reliability

Connection Draining enabled

Elastic Load Balancer will not send any new requests to the unhealthy instance if an EC2 backend instance fails health checks

Addresses: Reliability

Ensure ELBs are evenly distributed over AZs

Ensure that the EC2 instances registered to your Amazon Elastic Load Balancing (ELB) are evenly distributed across all Availability Zones (AZs) in order to improve the ELBs configuration reliability

Addresses: Reliability

Check ELB security layer for at least one valid security group

Check Elastic Load Balancer (ELB) security layer for at least one valid security group that restrict access only to the ports defined in the load balancer listeners configuration

Addresses: Security

ELBs must use latest AWS security policies

Ensure that Elastic Load Balancers are using the latest AWS predefined security policies

Addresses: Security

Identify and terminate idle ELBs

Identify any Amazon ELBs that appear to be idle and terminate them to help lower the cost of your monthly AWS bill

Addresses: Cost Optimisation

Internet facing ELBs must be regularly reviewed for security purposes

Ensure that all Amazon internet-facing load balancers (Classic Load Balancers and Application Load Balancers) provisioned within your AWS account are regularly reviewed for security purposes.

Addresses: Security

Identify and delete unused ELBs

Identify unused Elastic Load Balancers, and delete them to help lower the cost of your monthly AWS bill.

Addresses: Cost Optimisation

Secure Listeners in Web-tier only

Ensure that your web-tier Elastic Load Balancer (ELB) listeners are using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer.

Addresses: Security

Use latest AWS Security Policy for SSL negotiations

Ensure that your web-tier Elastic Load Balancers (ELBs) listeners are using the latest AWS security policy for their SSL negotiation configuration

Addresses: Security

Use the right health check configurations

Improve the reliability of the applications behind your web-tier ELBs by using the appropriate health check configuration.

Addresses: Reliability

Check ELBs for insecure configurations

Check your Elastic Load Balancers (ELBs) listeners for insecure configurations. Use only HTTPS or SSL to encrypt the communication between the client and your load balancers.

Addresses: Security

Check ALBs for insecure configurations

Check your Application Load Balancers (ALBs) listeners for insecure configurations.

Addresses: Security

Check ALBs for latest SSL/TLS configurations

Ensure that your Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.

Addresses: Security

Check NLBs for insecure configurations

Ensure that your Amazon Network Load Balancers (NLBs) are configured to terminate TLS traffic in order to optimize the performance of the backend servers.

Addresses: Security

Check ALBs for latest SSL/TLS configurations

Ensure that your Amazon Network Load Balancers (NLBs) are using the latest recommended predefined security policy for TLS negotiation configuration in order to protect their front-end connections against TLS vulnerabilities and meet security requirements

Addresses: Security