Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure application load balancer does not have unrestricted security group attached

This rule ensures that application load balancer does not have unrestricted security group attached.

RuleEnsure application load balancer does not have unrestricted security group attached
FrameworkCloudDefense.AI Security
Severity
Critical

Rule Description

The rule aims to ensure that an application load balancer in the CloudDefense environment does not have an unrestricted security group attached. This is essential to maintain the security posture of the application and prevent unauthorized access.

Troubleshooting Steps

  1. 1.
    Identify the application load balancer that needs to be checked for unrestricted security group attachment.
  2. 2.
    Verify the security groups associated with the application load balancer.
  3. 3.
    Check the inbound and outbound rules of each security group to determine if there are any unrestricted rules allowing all traffic.

Necessary Codes

No specific codes are required for this rule. The verification can be done using the AWS Management Console or CLI commands.

Remediation Steps

  1. 1.
    Open the AWS Management Console or use the AWS CLI to access the CloudDefense environment.
  2. 2.
    Identify the target application load balancer that needs to be remediated.
  3. 3.
    Check the security groups associated with the application load balancer.
  4. 4.
    If an unrestricted security group is found, note down the group ID for reference.
  5. 5.
    Review the security group's inbound and outbound rules.
  6. 6.
    Remove any rules that permit unrestricted access (e.g., "0.0.0.0/0" or "::/0").
  7. 7.
    Configure appropriate rules to allow only necessary traffic.
  8. 8.
    Save the changes and confirm that the security group no longer has unrestricted access.
  9. 9.
    Repeat the process for any other load balancers, if applicable.

CLI Command Guide

To verify and remediate an unrestricted security group attachment for an application load balancer, follow the steps below:

  1. 1.
    List the security groups associated with the load balancer:
aws elbv2 describe-load-balancers --query 'LoadBalancers[?LoadBalancerName==`LOAD_BALANCER_NAME`].SecurityGroups[]'

Replace

LOAD_BALANCER_NAME
with the actual name or ARN of the load balancer.

  1. 1.
    Review the inbound and outbound rules of each security group:
aws ec2 describe-security-groups --group-ids SECURITY_GROUP_ID

Replace

SECURITY_GROUP_ID
with the ID of the security group.

  1. 1.
    Remove any unrestricted rules allowing all traffic:
aws ec2 revoke-security-group-ingress --group-id SECURITY_GROUP_ID --protocol PROTOCOL --port PORT --cidr CIDR
aws ec2 revoke-security-group-egress --group-id SECURITY_GROUP_ID --protocol PROTOCOL --port PORT --cidr CIDR

Replace

SECURITY_GROUP_ID
with the ID of the security group. Replace
PROTOCOL
with the desired protocol (e.g., TCP, UDP, etc.). Replace
PORT
with the port number to restrict access. Replace
CIDR
with the IP range to allow access from.

  1. 1.
    Save the changes and recheck the security group to ensure there are no unrestricted rules.

Conclusion

Following the steps provided above, you can ensure that no unrestricted security group is attached to an application load balancer in the CloudDefense environment. Regularly reviewing and enforcing security measures like this helps protect the application from unauthorized access and potential security risks.

Is your System Free of Underlying Vulnerabilities?
Find Out Now