This rule ensures that deletion protection is enabled for ELB application load balancer.
Rule | ELB application load balancer deletion protection should be enabled |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ High |
Enabling Deletion Protection for ELB Application Load Balancer in Compliance with NIST CSF v1
Enabling deletion protection for your AWS Elastic Load Balancing (ELB) Application Load Balancer is a measure to prevent accidental or unauthorized deletion, aligning with the NIST Cybersecurity Framework's recommendations to protect critical infrastructure.
Understanding Deletion Protection
What is Deletion Protection?
Deletion protection is a feature that prevents an Application Load Balancer from being deleted by users or services. It is an important safeguard to ensure the availability and integrity of load balancer resources.
Importance for NIST CSF Compliance
The National Institute of Standards and Technology (NIST) Cybersecurity Framework version 1 (CSF v1) encourages organizations to establish safeguards to ensure the delivery of critical services. By enabling deletion protection on your ELB Application Load Balancer, you comply with the Framework's intent to "protect" critical services.
Enabling Deletion Protection for AWS ELB Application Load Balancer
Please note that deletion protection cannot be enabled directly through the CLI during load balancer creation; it must be modified after the load balancer is created.
Step-by-Step Guide to Enable Deletion Protection using AWS Console:
Log in to the AWS Management Console
Select the Load Balancer
Modify Attributes
Enable Deletion Protection
Save Changes
Step-by-Step Guide to Enable Deletion Protection using AWS CLI:
Identify Load Balancer
Use the following AWS CLI command to list all load balancers and find the ARN for your Application Load Balancer:
aws elbv2 describe-load-balancers --query 'LoadBalancers[*].{ID:LoadBalancerArn, Name:LoadBalancerName}'
Enable Deletion Protection
Enable deletion protection by modifying the attributes of the load balancer using its ARN:
aws elbv2 modify-load-balancer-attributes --load-balancer-arn <Your-Load-Balancer-ARN> --attributes Key=deletion_protection.enabled,Value=true
Replace
<Your-Load-Balancer-ARN>
with the actual ARN of your load balancer.Troubleshooting Potential Issues
Permission Errors: Ensure that your IAM user/role has the necessary permissions to modify load balancer attributes.
Incorrect ARN: Verify that you've provided the correct ARN of the Application Load Balancer you intend to protect.
CLI Command Failure: Double-check the CLI syntax and parameter values if you encounter command failures.
Remediation Steps: CLI Command Quick Reference
List Load Balancers:
aws elbv2 describe-load-balancers --query 'LoadBalancers[*].{ID:LoadBalancerArn, Name:LoadBalancerName}'
Enable Deletion Protection:
aws elbv2 modify-load-balancer-attributes --load-balancer-arn <Your-Load-Balancer-ARN> --attributes Key=deletion_protection.enabled,Value=true
By following these instructions, you can effectively enable deletion protection for your ELB Application Load Balancer, contributing to your organization's compliance with NIST CSF v1 requirements. This proactive step in managing your AWS resources not only aligns with the best cybersecurity practices but also provides assurance against potential disruptions to your operations.