You must be logged in to view saved presets
Cloudformation Guard Rules for AWS Load Balancers
CloudFormation guard rules template for AWS load balancer resources
The following rules are included:
- Access logging enabled (Classic, Application, Network)
- Public Classic Load Balancers
- Deletion Protection (ELBv2)
- Classic Load Balancers use SSL certificates
- Application Load Balancers Drop Invalid HTTP Headers
- Cross Zone Load Balancing (Classic, Network, Gateway)
- Classic Load Balancer Connection Draining Enabled
let elb_lbs = Resources.*[
Type == "AWS::ElasticLoadBalancing::LoadBalancer"
]
let elbv2_lbs = Resources.*[
Type == "AWS::ElasticLoadBalancingV2::LoadBalancer"
]
rule elb_access_logging when %elb_lbs !empty OR %elbv2_lbs !empty {
when %elb_lbs !empty {
%elb_lbs {
Properties {
AccessLoggingPolicy exists <<AccessLoggingPolicy not configured. (i.e. disabled)>>
when AccessLoggingPolicy exists {
AccessLoggingPolicy {
Enabled == true <<Access Logging is disabled.>>
}
}
}
}
}
when %elbv2_lbs !empty {
%elbv2_lbs {
Properties {
when Type !exists OR Type != "gateway" {
LoadBalancerAttributes exists <<LoadBalancerAttributes not configured. (i.e. disabled)>>
when LoadBalancerAttributes exists {
some LoadBalancerAttributes[*] {
Key == "access_logs.s3.enabled"
Value == "true"
}
}
}
}
}
}
}
rule elb_public_classic_load_balancers when %elb_lbs !empty {
%elb_lbs {
Properties {
Scheme !exists OR
Scheme exists
when Scheme exists {
Scheme != "internet-facing" <<Load Balancer is internet facing.>>
}
}
}
}
rule alb_deletion_protection when %elbv2_lbs !empty {
%elbv2_lbs {
Properties {
LoadBalancerAttributes exists <<LoadBalancerAttributes not configured. (i.e. disabled)>>
when LoadBalancerAttributes exists {
some LoadBalancerAttributes[*] {
Key == "deletion_protection.enabled"
Value == "true"
}
}
}
}
}
rule elb_classic_lb_use_ssl_certificate when %elb_lbs !empty {
%elb_lbs {
Properties {
Listeners[*] {
Protocol in ["HTTPS", "SSL"] <<Load Balancer does not have secure listeners.>>
}
}
}
}
rule alb_drop_http_headers when %elbv2_lbs !empty {
%elbv2_lbs {
Properties {
when Type !exists OR Type == "application" {
LoadBalancerAttributes exists <<LoadBalancerAttributes not configured. (i.e. disabled)>>
when LoadBalancerAttributes exists {
some LoadBalancerAttributes[*] {
Key == "routing.http.drop_invalid_header_fields.enabled"
Value == "true"
}
}
}
}
}
}
rule elb_cross_zone_load_balancing when %elb_lbs !empty OR %elbv2_lbs !empty {
when %elb_lbs !empty {
%elb_lbs {
Properties {
CrossZone exists <<CrossZone not configured. (i.e. disabled)>>
when CrossZone exists {
CrossZone == true <<Cross zone is disabled.>>
}
}
}
}
when %elbv2_lbs !empty {
%elbv2_lbs {
Properties {
when Type exists
Type != "application" {
LoadBalancerAttributes exists <<LoadBalancerAttributes not configured. (i.e. disabled)>>
when LoadBalancerAttributes exists {
some LoadBalancerAttributes[*] {
Key == "load_balancing.cross_zone.enabled"
Value == "true"
}
}
}
}
}
}
}
rule elb_classic_connection_draining when %elb_lbs !empty {
%elb_lbs {
Properties {
ConnectionDrainingPolicy exists <<ConnectionDrainingPolicy is not configured.(i.e. disabled)>>
when ConnectionDrainingPolicy exists {
ConnectionDrainingPolicy {
Enabled == true <<Connection Draining is disabled.>>
}
}
}
}
}
Actions
Customize Template
* Required field
© 2024 asecurecloud. All rights reserved.