Skip to main content

lacework-global-199

Security group attached to Application Load Balancer should not allow inbound traffic from all

Description

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to your Application Load Balancers (ALB) to prevent any unauthorized access.

Remediation

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

  3. In the left frame of the EC2 Dashboard, select LOAD BALANCING > Load Balancers.

  4. Select the Load Balancer that has the violation reported by Lacework.

  5. Under the Description tab, click on an attached security-group.

  6. Select the Inbound rules tab from the dashboard bottom panel.

  7. Check the value in the Source column for any inbound/ingress rules with a port range of 0-65535, or where Protocol = All and Port range = All. If one or more rules have the source set to 0.0.0.0/0, the selected security group allows unrestricted IPv4 traffic to all ports, therefore the access to the EC2 instance(s) associated with the security group is not restricted.

  8. To update the Source field to a range other than 0.0.0.0/0, select the 'Security group rule ID' you want to change, and click 'Edit inbound rules'.

  9. From here you can set the new Source field range, and click 'Save rules' to save the changes.

  10. It is also possible to remove the offending inbound rule completely by following the above steps, and instead of updating the Source field range, click Delete followed by 'Save rules'.

  11. Repeat steps 5-10 for each attached security group.