Skip to main content

lacework-global-482

Classic LBs should have a valid and secure security group

Description

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that all Classic Elastic Load Balancers (ELBs) inside VPCs be assigned to security groups to prevent unauthorized access. In addition, it is recommended that the security group restricts the traffic to only the necessary IPs and ports. A violation is reported when Classic Elastic Load Balancers are not protected by security groups and both inbound and outbound rules are checked.

Remediation

If a Classic Elastic Load Balancer is found to have an insecure security group, the security group rules can be updated, or a new security group can be created.

Update the security group rules:

  1. Log in to the AWS Management Console.

  2. Click Services.

  3. Select Compute > EC2 > NETWORK & Security > Security Groups.

  4. Locate the insecure Security Group.

  5. Adjust the Inbound and Outbound rules as required. Inbound rules must have a restricted IP and match the port on the Classic ELB listener's load balancer port. Outbound rules must match the port on the Classic ELB listener's instance port.

OR

Create the security group to use for the Classic ELB:

  1. Log in to the AWS Management Console.

  2. Click Services.

  3. Select Compute > EC2 > NETWORK & Security > Security Groups.

  4. Click Create Security Group.

  5. Fill in the fields. In the Inbound and Outbound tabs, create rules as required. Inbound rules must have a restricted IP and match the port on the Classic ELB listener's load balancer port. Outbound rules must match the port on the Classic ELB listener's instance port.

Assign the new security group to the Classic ELB:

  1. Log in to the AWS Management Console.

  2. Click Services.

  3. Select Compute > EC2.

  4. Select LOAD BALANCING > Load Balancers.

  5. Select the Load Balancer that has the violation reported by Lacework.

  6. Select the Description tab.

  7. Scroll down to Security > Source Security Group and click Edit security groups.

  8. Select the security group created in the previous step, deselect the old security group, and click Save.