Load balancer is internet facing Affecting ELB service in AWS


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Network/ Network

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
CIS-ControlsCSA-CCM
  • Snyk IDSNYK-CC-00291
  • creditSnyk Research Team

Description

An internet-facing load balancer increases attack vector reachability.

How to fix?

Set the load balancer's internal attribute to true.

Example Configuration

# aws_elb example
resource "aws_elb" "example" {
  name               = "terraform-elb"
  subnets            = ["subnet-id"]
  internal           = true

  access_logs {
    bucket        = "example"
    bucket_prefix = "example"
    interval      = 60
  }

  listener {
    instance_port     = 8000
    instance_protocol = "http"
    lb_port           = 80
    lb_protocol       = "http"
  }

  health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 2
    timeout             = 3
    target              = "HTTP:8000/"
    interval            = 30
  }

  instances                   = ["id-yyyyyy"]
  cross_zone_load_balancing   = true
  idle_timeout                = 400
  connection_draining         = true
  connection_draining_timeout = 400

  tags = {
    Name = "terraform-elb"
  }
}

# aws_lb example
resource "aws_lb" "example" {
  name               = "test-lb-tf"
  internal           = true
  load_balancer_type = "application"
  security_groups    = ["id-xxxxx"]
  subnets            = ["id-xxxxxx"]

  enable_deletion_protection = true

  access_logs {
    bucket  = "test"
    prefix  = "test-lb"
    enabled = true
  }

  tags = {
    Environment = "production"
  }
}