AWS Classic Load Balancer (ELB) has Unrestricted Security Group Attached

Description:

A Classic Load Balancer (ELB) uses security groups to control the inbound and outbound traffic. If an ELB's security group is configured to allow unrestricted access (0.0.0.0/0) to specific ports, it becomes vulnerable to potential unauthorized access and malicious activities. Ensuring that only necessary traffic is permitted is vital for maintaining a secure AWS environment.


Remediation:

1. Modify the Attached Security Group:

It's essential to restrict access to the ELB by adjusting its associated security group to permit only the required IPs or IP ranges.

AWS Management Console:
  • Go to the EC2 Dashboard.
  • In the left-hand pane, under Security, select Security Groups.
  • Find and select the security group associated with your Classic Load Balancer.
  • On the Inbound rules tab, update or delete rules that permit unrestricted access (0.0.0.0/0).
AWS CLI:
# Remove the unrestricted security group rules
aws ec2 revoke-security-group-ingress \
    --group-id <Your-Security-Group-ID> \
    --protocol <Your-Protocol> \
    --port <Your-Port> \
    --cidr 0.0.0.0/0
Terraform:
resource "aws_security_group" "elb_sg" {
  name        = "my_elb_sg"
  description = "Security Group for Classic Load Balancer"
  vpc_id      = "<Your-VPC-ID>"

  ingress {
    from_port   = <Your-Port>
    to_port     = <Your-Port>
    protocol    = "<Your-Protocol>"
    cidr_blocks = ["<Your-Allowed-IP-Ranges>"]
    // Ensure 0.0.0.0/0 is not included.
  }
  
  // ... additional configurations ...
}

resource "aws_elb" "example" {
  name               = "my-elb"
  security_groups    = [aws_security_group.elb_sg.id]
  // ... other configurations ...
}

2. Monitoring and Alerts:

  • Utilize Amazon CloudWatch or AWS Config to monitor modifications to security group rules.
  • Configure alerts to notify you if unrestricted access rules (0.0.0.0/0) are added.

3. Periodic Review:

  • Frequently review security groups associated with your Classic Load Balancers to ensure they adhere to the principle of least privilege.

Maintaining secure security group configurations for Classic Load Balancers is crucial for your AWS infrastructure's security. Adhering to best practices and regularly reviewing configurations can help mitigate potential security risks.