AWS Classic Load Balancer (ELB) Listener Configurations and Allowed Security Group Ports Discrepancy

Description:

The listener configurations for a Classic Elastic Load Balancer (ELB) specify the protocols and ports it should listen to for incoming traffic. It's imperative that the security group associated with the ELB matches these configurations. Any discrepancy between the listener configurations and security group rules can lead to potential security risks or operational hindrances.

Remediation:

1. Align Security Group with Listener Configuration:

Ensure that the ports defined in the listener configurations for the Classic ELB are also allowed in the associated security group's inbound rules.

AWS Management Console:
  • Navigate to the EC2 Dashboard.
  • Under Load Balancing in the left-hand pane, select Load Balancers.
  • Choose your Classic ELB and check its Listeners tab for configured ports.
  • In the left-hand pane, under Security, select Security Groups.
  • Identify and select the security group associated with your Classic ELB.
  • On the Inbound rules tab, ensure that the rules match the ports from the ELB listener configuration.
AWS CLI:
# List the listeners for a specific Classic ELB
aws elb describe-load-balancers --load-balancer-names <Your-ELB-Name>

# List the inbound rules for a specific security group
aws ec2 describe-security-groups --group-ids <Your-Security-Group-ID>
Terraform:
resource "aws_security_group" "elb_sg" {
  name        = "my_elb_sg"
  description = "Security Group for Classic ELB"
  vpc_id      = "<Your-VPC-ID>"

  ingress {
    from_port   = <Listener-Port-1>
    to_port     = <Listener-Port-1>
    protocol    = "<Your-Protocol>"
    cidr_blocks = ["<Your-Allowed-IP-Ranges>"]
  }

  ingress {
    from_port   = <Listener-Port-2>
    to_port     = <Listener-Port-2>
    protocol    = "<Your-Protocol>"
    cidr_blocks = ["<Your-Allowed-IP-Ranges>"]
  }
  
  # ... additional configurations for other listener ports ...
}

resource "aws_elb" "example" {
  name = "my-elb"
  availability_zones = ["<Your-AZs>"]

  listener {
    instance_port     = <Listener-Port-1>
    instance_protocol = "<Your-Protocol>"
    lb_port           = <Listener-Port-1>
    lb_protocol       = "<Your-Protocol>"
  }

  # ... additional listener resources for other ports ...
}

2. Regular Audits:

  • Periodically review the listener configurations and security groups of your Classic ELB to spot discrepancies.
  • Think about automating this checking process using AWS Config or custom Lambda functions to alert discrepancies.

Maintaining alignment between the security group rules of the Classic ELB and its listener configurations is crucial for ensuring a secure and smoothly running AWS environment. It's beneficial to habitually audit configurations to detect and rectify potential issues promptly.

Updated 5 months ago