Amazon Elastic Load Balancer V2

1.3: Traffic to Load Balancers is not encrypted

πŸ“˜ The absence of encryption for traffic to load balancers poses a significant risk, leaving sensitive data vulnerable to interception. Implementing encryption is crucial for safeguarding data integrity and confidentiality.

  • Section: Encryption
  • Severity: Critical
  • CWE: CWE-311 Missing Encryption of Sensitive Data
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Tampering, Information Disclosure
  • Rule Set: Threat Modeling - Cloud Configuration Check

1.4: Insecure ELB Security Policy

πŸ“˜ Utilizing an insecure Elastic Load Balancer (ELB) security policy can lead to vulnerabilities in data protection, underscoring the need for robust security measures and policy enforcement.

  • Section: Encryption
  • Severity: High
  • CWE: CWE-311 Missing Encryption of Sensitive Data
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Tampering, Information Disclosure
  • Rule Set: Threat Modeling - Cloud Configuration Check

1.26: Amazon Network Load Balancers (NLBs) not Configured to Terminate TLS Traffic

πŸ“˜ Failing to configure Amazon Network Load Balancers (NLBs) for TLS traffic termination exposes data to potential interception. Ensuring TLS termination is crucial for data security during transmission.

  • Section: Encryption
  • Severity: High
  • CWE: CWE-311 Missing Encryption of Sensitive Data
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Tampering, Information Disclosure
  • Rule Set: Threat Modeling - Cloud Configuration Check

2.1: Elastic Load Balancer Audit Logs Not Enabled

πŸ“˜ The absence of enabled audit logs for Elastic Load Balancers compromises the ability to monitor and investigate security incidents, highlighting the importance of comprehensive logging for security oversight.

  • Section: Monitoring
  • Severity: High
  • CWE: CWE-778 Insufficient Logging
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Tampering, Repudiation
  • Rule Set: Threat Modeling - Cloud Configuration Check

6.4: ELBv2 Load Balancer Lacks Deletion Protection

πŸ“˜ Not enabling deletion protection for ELBv2 Load Balancers raises the risk of accidental removal, emphasizing the need for safeguards to maintain infrastructure stability and prevent unintended disruptions.

  • Section: Networking
  • Severity: Medium
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Tampering, Information Disclosure
  • Rule Set: Threat Modeling - Cloud Configuration Check

6.5: Insufficient Healthy Targets for AWS ELBv2 Load Balancers

πŸ“˜ Having less than two healthy target instances for each AWS ELBv2 load balancer can lead to service disruptions and degraded performance, underscoring the need for adequate resource allocation and monitoring.

  • Section: Networking
  • Severity: High
  • CWE: CWE-410 Insufficient Resource Pool
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Denial of Service, Availability
  • Rule Set: Threat Modeling - Cloud Configuration Check

6.6: ELBv2 Load Balancer with Unrestricted Security Group

πŸ“˜ Attaching unrestricted security groups to ELBv2 load balancers can lead to security vulnerabilities, highlighting the necessity of stringent security group configurations to mitigate unauthorized access risks.

  • Section: Networking
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Escalation of Privileges, Availability
  • Rule Set: Threat Modeling - Cloud Configuration Check

6.7: Classic Load Balancer with Unrestricted Security Group

πŸ“˜ The use of unrestricted security groups with Classic Load Balancers can create significant security gaps, underlining the importance of precise security group controls to prevent potential breaches.

  • Section: Networking
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Escalation of Privileges, Availability
  • Rule Set: Threat Modeling - Cloud Configuration Check

6.8: Discrepancy in ELBv2 Listener Configurations and Security Group Ports

πŸ“˜ Mismatches between ELBv2 listener configurations and allowed security group ports can introduce security loopholes, accentuating the need for alignment between load balancer settings and security policies.

  • Section: Networking
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Escalation of Privileges, Availability
  • Rule Set: Threat Modeling - Cloud Configuration Check

6.9: Discrepancy in Classic ELB Listener Configurations and Security Group Ports

πŸ“˜ Inconsistencies between Classic ELB listener configurations and security group port allowances pose security risks, stressing the importance of harmonizing configuration settings for robust security.

  • Section: Networking
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: Escalation of Privileges, Availability
  • Rule Set: Threat Modeling - Cloud Configuration Check

7.2: Elastic Load Balancer v2 with All Unhealthy Targets

πŸ“˜ An Elastic Load Balancer v2 with all unhealthy targets signifies a severe issue in operational efficiency, requiring urgent action to restore system health and ensure service continuity.

  • Section: Monitoring
  • Severity: Medium
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: NA
  • Rule Set: Rapticore Benchmark

Updated 5 months ago

What’s Next