-
AWS Elastic Load Balancer
Monitor and audit Elastic Load Balancers to ensure security, availability, reliability is not compromised.
Security
ELB Accepts HTTPS connections Only
ELB should be configured to block HTTP connection and allow only HTTPS connections.
ELB should be configured to block HTTP connection and allow only HTTPS connections.
ELB Logging Enabled
Load balancers must have request logging enabled. Logging requests to ELB endpoints is a helpful way of detecting and investigating potential attacks.
Load balancers must have request logging enabled. Logging requests to ELB endpoints is a helpful way of detecting and investigating potential attacks.
WAF Enabled
Enable WAF so that this firewall will prevent malicious attackers to intrude into your system.
Enable WAF so that this firewall will prevent malicious attackers to intrude into your system.
No Insecure Ciphers
Check for insecure ciphers on ELBs. Various security vulnerabilities have rendered several ciphers insecure. Only the recommended ciphers should be used.
Check for insecure ciphers on ELBs. Various security vulnerabilities have rendered several ciphers insecure. Only the recommended ciphers should be used.
Secure Listeners Only
ELBv2 load balancers shall use only the secure listeners. A listener is a process that checks for connection requests, using the protocol and port that you configure.
ELBv2 load balancers shall use only the secure listeners. A listener is a process that checks for connection requests, using the protocol and port that you configure.
Invalid Http Header Dropped
No Classic ELB in-use
Classic ELB is not recommended to be used. AWS has deprecated it and wants them to move to the alternatives.
Classic ELB is not recommended to be used. AWS has deprecated it and wants them to move to the alternatives.
Secure Listeners in App-tier only
Ensure that your app-tier Elastic Load Balancer (ELB) listeners are using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer.
Ensure that your app-tier Elastic Load Balancer (ELB) listeners are using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer.
Use latest AWS Security Policy for SSL negotiations
Ensure that your app-tier Elastic Load Balancers (ELBs) listeners are using the latest AWS security policy for their SSL negotiation configuration
Ensure that your app-tier Elastic Load Balancers (ELBs) listeners are using the latest AWS security policy for their SSL negotiation configuration
Check ELB security layer for at least one valid security group
Check Elastic Load Balancer (ELB) security layer for at least one valid security group that restrict access only to the ports defined in the load balancer listeners configuration
Check Elastic Load Balancer (ELB) security layer for at least one valid security group that restrict access only to the ports defined in the load balancer listeners configuration
ELBs must use latest AWS security policies
Ensure that Elastic Load Balancers are using the latest AWS predefined security policies
Ensure that Elastic Load Balancers are using the latest AWS predefined security policies
Internet facing ELBs must be regularly reviewed for security purposes
Ensure that all Amazon internet-facing load balancers (Classic Load Balancers and Application Load Balancers) provisioned within your AWS account are regularly reviewed for security purposes.
Ensure that all Amazon internet-facing load balancers (Classic Load Balancers and Application Load Balancers) provisioned within your AWS account are regularly reviewed for security purposes.
Secure Listeners in Web-tier only
Ensure that your web-tier Elastic Load Balancer (ELB) listeners are using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer.
Ensure that your web-tier Elastic Load Balancer (ELB) listeners are using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer.
Use latest AWS Security Policy for SSL negotiations
Ensure that your web-tier Elastic Load Balancers (ELBs) listeners are using the latest AWS security policy for their SSL negotiation configuration
Ensure that your web-tier Elastic Load Balancers (ELBs) listeners are using the latest AWS security policy for their SSL negotiation configuration
Check ELBs for insecure configurations
Check your Elastic Load Balancers (ELBs) listeners for insecure configurations. Use only HTTPS or SSL to encrypt the communication between the client and your load balancers.
Check your Elastic Load Balancers (ELBs) listeners for insecure configurations. Use only HTTPS or SSL to encrypt the communication between the client and your load balancers.
Check ALBs for insecure configurations
Check your Application Load Balancers (ALBs) listeners for insecure configurations.
Check your Application Load Balancers (ALBs) listeners for insecure configurations.
Check ALBs for latest SSL/TLS configurations
Ensure that your Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.
Ensure that your Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.
Check NLBs for insecure configurations
Ensure that your Amazon Network Load Balancers (NLBs) are configured to terminate TLS traffic in order to optimize the performance of the backend servers.
Ensure that your Amazon Network Load Balancers (NLBs) are configured to terminate TLS traffic in order to optimize the performance of the backend servers.
Reliability
Deletion Protection Flag Enabled
Deletion Protection flag should be enabled in order to prevent accidental deletions.
Deletion Protection flag should be enabled in order to prevent accidental deletions.
Min EC2 instances available
Configure minimum number of instances available for your Load Balancer to improve the reliability.
Configure minimum number of instances available for your Load Balancer to improve the reliability.
Use the right health check configurations
Improve the reliability of the applications behind your app-tier ELBs by using the appropriate health check configuration.
Improve the reliability of the applications behind your app-tier ELBs by using the appropriate health check configuration.
Connection Draining enabled
Elastic Load Balancer will not send any new requests to the unhealthy instance if an EC2 backend instance fails health checks
Elastic Load Balancer will not send any new requests to the unhealthy instance if an EC2 backend instance fails health checks
Ensure ELBs are evenly distributed over AZs
Ensure that the EC2 instances registered to your Amazon Elastic Load Balancing (ELB) are evenly distributed across all Availability Zones (AZs) in order to improve the ELBs configuration reliability
Ensure that the EC2 instances registered to your Amazon Elastic Load Balancing (ELB) are evenly distributed across all Availability Zones (AZs) in order to improve the ELBs configuration reliability
Use the right health check configurations
Improve the reliability of the applications behind your web-tier ELBs by using the appropriate health check configuration.
Improve the reliability of the applications behind your web-tier ELBs by using the appropriate health check configuration.
Cost Optimisation
Identify and terminate idle ELBs
Identify any Amazon ELBs that appear to be idle and terminate them to help lower the cost of your monthly AWS bill
Identify any Amazon ELBs that appear to be idle and terminate them to help lower the cost of your monthly AWS bill
Identify and delete unused ELBs
Identify unused Elastic Load Balancers, and delete them to help lower the cost of your monthly AWS bill.
Identify unused Elastic Load Balancers, and delete them to help lower the cost of your monthly AWS bill.
Sources
Help Us Improve!
If you have any suggestions to improve this checklist, please let us know by filling out this form.