ELBs Should Have Deletion Protection Flag Enabled

More Info:

Deletion Protection flag should be enabled in order to prevent accidental deletions.

Risk Level

Low

Address

Reliability, Operational Maturity, Security

Compliance Standards

HIPAA, NIST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of ELBs not having deletion protection flag enabled, you can follow the below steps:

Open your AWS CLI and run the following command to enable deletion protection on all your ELBs:

aws elb modify-load-balancer-attributes --load-balancer-name <ELB_NAME> --attributes "{\"DeletionProtection\":{\"Value\":true}}"

Note: Replace <ELB_NAME> with the name of the ELB that you want to enable deletion protection for.

To verify that the deletion protection flag is enabled, run the following command:

aws elb describe-load-balancers --load-balancer-name <ELB_NAME> --query 'LoadBalancerDescriptions[*].[LoadBalancerName, Scheme, DeletionProtection]'

Note: Replace <ELB_NAME> with the name of the ELB that you want to verify deletion protection for.

If the deletion protection flag is not enabled, repeat step 1 for all the ELBs that you want to enable deletion protection for.

By following these steps, you can remediate the misconfiguration of ELBs not having deletion protection flag enabled in AWS using AWS CLI.

Using Python

To remediate the misconfiguration of ELBs not having deletion protection flag enabled, you can use the following steps in Python:

Import the necessary AWS SDK modules:

import boto3
from botocore.exceptions import ClientError

Initialize a boto3 client for Elastic Load Balancing:

elb_client = boto3.client('elbv2')

Get a list of all the existing ELBs in your AWS account:

try:
    response = elb_client.describe_load_balancers()
    elbs = response['LoadBalancers']
except ClientError as e:
    print(e)

For each ELB, check if the deletion protection flag is enabled. If not, enable it:

for elb in elbs:
    elb_name = elb['LoadBalancerName']
    try:
        response = elb_client.modify_load_balancer_attributes(
            LoadBalancerArn=elb['LoadBalancerArn'],
            Attributes=[
                {
                    'Key': 'deletion_protection.enabled',
                    'Value': 'true'
                }
            ]
        )
        print(f"Deletion protection enabled for ELB {elb_name}")
    except ClientError as e:
        print(e)

Run the Python script to enable deletion protection for all the ELBs in your AWS account.

Note: You will need to have appropriate IAM permissions to modify the load balancer attributes.

Additional Reading:

https://docs.aws.amazon.com/cli/latest/reference/elb/index.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

ELBs Should Have Deletion Protection Flag Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: