Severity Framework
Snyk CCSS
Rule category
Network / Network
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Controls
CSA-CCM
- Snyk ID SNYK-CC-00291
- credit Snyk Research Team
Description
An internet-facing load balancer increases attack vector reachability.
How to fix?
Set the load balancer's internal attribute to true.
Example Configuration
# aws_elb example
resource "aws_elb" "example" {
name = "terraform-elb"
subnets = ["subnet-id"]
internal = true
access_logs {
bucket = "example"
bucket_prefix = "example"
interval = 60
}
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
health_check {
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 3
target = "HTTP:8000/"
interval = 30
}
instances = ["id-yyyyyy"]
cross_zone_load_balancing = true
idle_timeout = 400
connection_draining = true
connection_draining_timeout = 400
tags = {
Name = "terraform-elb"
}
}
# aws_lb example
resource "aws_lb" "example" {
name = "test-lb-tf"
internal = true
load_balancer_type = "application"
security_groups = ["id-xxxxx"]
subnets = ["id-xxxxxx"]
enable_deletion_protection = true
access_logs {
bucket = "test"
prefix = "test-lb"
enabled = true
}
tags = {
Environment = "production"
}
}