Skip to main content

lacework-global-483

ELBs should have a valid and secure security group

Description

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that all Elastic Load Balancers (ELBs) inside VPCs be assigned to security groups to prevent unauthorized access. In addition, it is recommended that the security group restricts the traffic to only the necessary IPs and ports. A violation is reported when Elastic Load Balancers are not protected by security groups and both inbound and outbound rules are checked.

Remediation

For application load balancers:

  1. Log in to the AWS Management Console.

  2. Click Services.

  3. Select Compute > EC2.

  4. In the left frame of the EC2 Dashboard, select LOAD BALANCING > Load Balancers.

  5. Select the Load Balancer that has the violation reported by Lacework.

  6. Under the description, click the attached security-group.

  7. Edit the inbound rules and restrict access to only the required IPs and ports.

For gateway/network load balancers:

  1. Log in to the AWS Management Console.

  2. Click Services.

  3. Select Compute > EC2 > Instances.

  4. Click the instance that is being load balanced.

  5. Navigate to Security and select the link under the Security groups subheading.

  6. Access the Inbound and Outbound tabs.

  7. Update rules as required. Inbound rules must have a restricted IP and match the port on the ELB listener's load balancer port. Outbound rules must match the port on the ELB listener's instance port.

    Note: For gateway LBs, ensure that UDP traffic is allowed on port 6081, as this is required for the GENEVE protocol, along with port 6081.