No Classic ELB Should Be In Use

More Info:

Classic ELB is not recommended to be used. AWS has deprecated it and wants them to move to the alternatives.

Risk Level

Low

Address

Security, Operational Maturity, Reliability

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “No Classic ELB Should Be In Use” misconfiguration in AWS using AWS CLI, you can follow the below steps:

List all the classic load balancers in your AWS account using the following command:

aws elb describe-load-balancers --query "LoadBalancerDescriptions[?Scheme=='internet-facing']"

Identify the classic load balancers that are currently in use and need to be replaced with ALB/NLB.

Create a new ALB/NLB based on your requirements using the following command:

aws elbv2 create-load-balancer --name <load-balancer-name> --type <load-balancer-type> --subnets <subnet-ids> --security-groups <security-group-ids>

Update the DNS records to point to the new ALB/NLB.

Update the target groups and listeners of the classic load balancers to the new ALB/NLB using the following commands:

aws elbv2 create-target-group --name <target-group-name> --protocol <protocol> --port <port> --vpc-id <vpc-id>
aws elbv2 create-listener --load-balancer-arn <load-balancer-arn> --protocol <protocol> --port <port> --default-actions Type=forward,TargetGroupArn=<target-group-arn>

Deregister and delete the classic load balancers using the following commands:

aws elb deregister-instances-from-load-balancer --load-balancer-name <load-balancer-name> --instances <instance-ids>
aws elb delete-load-balancer --load-balancer-name <load-balancer-name>

Verify that the new ALB/NLB is functioning properly and all the traffic is being routed to it.

Note: Before deleting the classic load balancers, ensure that they are not being used by any other resources or services in your AWS account.

Using Python

To remediate the misconfiguration “No Classic ELB Should Be In Use” for AWS using Python, you can use the following steps:

Import the required AWS SDK and Boto3 library to interact with AWS resources.

import boto3

Create a client object for Elastic Load Balancing (ELB) using Boto3.

elb_client = boto3.client('elb')

Use the describe_load_balancers() method to get a list of all the load balancers in your AWS account.

load_balancers = elb_client.describe_load_balancers()

Loop through the list of load balancers and check if any of them are Classic load balancers.

for lb in load_balancers['LoadBalancerDescriptions']:
    if lb['Scheme'] == 'internet-facing' and lb['Type'] == 'classic':
        print('Classic ELB found: ' + lb['LoadBalancerName'])

If a Classic ELB is found, use the delete_load_balancer() method to delete it.

elb_client.delete_load_balancer(LoadBalancerName=lb['LoadBalancerName'])

Optionally, you can add a confirmation prompt before deleting the Classic ELB to avoid accidental deletion.

response = input('Do you want to delete the Classic ELB ' + lb['LoadBalancerName'] + '? (y/n) ')
if response.lower() == 'y':
    elb_client.delete_load_balancer(LoadBalancerName=lb['LoadBalancerName'])
else:
    print('Classic ELB ' + lb['LoadBalancerName'] + ' was not deleted.')

Run the Python script to identify and delete any Classic ELBs in your AWS account.

Note: Before running the script, make sure you have the necessary permissions to delete Classic ELBs in your AWS account.

Additional Reading:

https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/migrate-to-application-load-balancer.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

No Classic ELB Should Be In Use

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: