Internet Facing ELBs Should Be Regularly Reviewed

More Info:

All Amazon internet-facing load balancers (Classic Load Balancers and Application Load Balancers) provisioned within your AWS account should be regularly reviewed for security purposes.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration for AWS using AWS CLI, follow these steps:

Open the AWS CLI and run the following command to list all the internet-facing Elastic Load Balancers (ELBs) in your account:
```
aws elbv2 describe-load-balancers --query "LoadBalancers[?Scheme=='internet-facing'].LoadBalancerArn" --output text
```
Review the output and identify any ELBs that are no longer needed or should not be internet-facing.
For each internet-facing ELB that needs to be reviewed, run the following command to modify the scheme to internal:
```
aws elbv2 modify-load-balancer-attributes --load-balancer-arn <ELB_ARN> --attributes Key=scheme,Value=internal
```
Replace <ELB_ARN> with the ARN of the ELB that needs to be modified.
Verify that the ELB’s scheme has been changed to internal by running the following command:
```
aws elbv2 describe-load-balancers --load-balancer-arns <ELB_ARN> --query "LoadBalancers[0].Scheme" --output text
```
Replace <ELB_ARN> with the ARN of the ELB that was modified.
Repeat steps 3-4 for each internet-facing ELB that needs to be reviewed.
Once all internet-facing ELBs have been reviewed and modified, run the first command again to verify that all internet-facing ELBs have been remediated.

Using Python

To remediate the misconfiguration of Internet Facing ELBs in AWS, you can use the following Python script:

import boto3

# Create a boto3 client for ELB
elb_client = boto3.client('elbv2')

# Define the ELB ARN
elb_arn = 'arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188'

# Set the desired security group ID
security_group_id = 'sg-1234567890abcdef'

# Update the ELB security group
response = elb_client.set_security_groups(
    LoadBalancerArn=elb_arn,
    SecurityGroups=[
        security_group_id,
    ]
)

# Print the response
print(response)

This script uses the boto3 library to create a client for Elastic Load Balancing (ELB) in AWS. It then sets the desired security group ID for the specified ELB ARN using the set_security_groups function. Finally, it prints the response from the API call.To use this script, replace the elb_arn and security_group_id values with the appropriate values for your environment. You can then run the script to remediate the misconfiguration of Internet Facing ELBs in AWS.

Additional Reading:

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-internet-facing-load-balancers.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Internet Facing ELBs Should Be Regularly Reviewed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: