Rule: ELB Application Load Balancers should be drop HTTP headers
This rule specifies that ELB Application Load Balancers should drop HTTP headers to enhance security measures.
| Rule | ELB application load balancers should be drop HTTP headers |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ High |
Rule Description: To comply with the RBI Cyber Security Framework, it is necessary to configure the Elastic Load Balancer (ELB) application load balancers to drop certain HTTP headers. This is done to enhance the security posture of the system and prevent potential security vulnerabilities.
Troubleshooting Steps: If the ELB application load balancer is not dropping the required HTTP headers, you can follow these troubleshooting steps:
- 1.
Verify ELB configuration: Double-check the ELB configuration to ensure that the HTTP headers specified in the RBI Cyber Security Framework are included in the "drop header" list. The header names should be accurate and correctly spelled.
- 2.
Check listener rules: Ensure that the listener rules associated with the ELB have the correct actions specified to drop the specific HTTP headers. The rules should be properly configured to drop the headers mentioned in the RBI Cyber Security Framework.
- 3.
Security Group configuration: Validate that the security group attached to the ELB allows the necessary inbound and outbound traffic, as dropping headers can modify network traffic. Ensure that the security group rules do not conflict with the required header dropping.
Necessary Codes (if applicable): If necessary, you can use the AWS Command Line Interface (CLI) to configure the ELB application load balancer. Here is an example command that can be used:
aws elbv2 modify-load-balancer-attributes --load-balancer-arn <ELB_ARN> --attributes key=deletion_protection.enabled,value=true
Guide for Remediation: To drop the required HTTP headers from the ELB application load balancer, follow these step-by-step instructions:
- 1.
Identify the ELB: Determine the ARN (Amazon Resource Name) of the ELB application load balancer that needs to be configured. This can be obtained from the AWS Management Console or by using the AWS CLI command:
aws elbv2 describe-load-balancers - 2.
Modify load balancer attributes: Use the AWS CLI command
to modify the load balancer attributes. Replacemodify-load-balancer-attributes
with the ARN obtained in the previous step. Execute the command to configure the ELB to drop the required HTTP headers:<ELB_ARN>
aws elbv2 modify-load-balancer-attributes --load-balancer-arn <ELB_ARN> --attributes key=drop_headers.enabled,value=true,key=drop_headers.header_names,value=Header1,Header2
Note: Replace
Header1,Header2- 1.Validate the changes: Verify that the load balancer attributes have been successfully modified by checking the ELB configuration. Ensure that the specified HTTP headers are now included in the "drop header" list.
By following these steps, you will be able to configure the ELB application load balancers to drop the required HTTP headers to comply with the RBI Cyber Security Framework.