Profile Applicability:

  • Level 1


Description:
This control ensures that all Internet-facing Elastic Load Balancers (ELBs) — including Application Load Balancers (ALBs), Network Load Balancers (NLBs), and Classic Load Balancers (CLBs) — are regularly reviewed to verify that only intended applications and services are exposed to the public internet. This helps ensure that no unnecessary or misconfigured load balancers are accessible externally, reducing the attack surface.


Rationale:
Internet-facing load balancers distribute traffic from the public internet to backend resources. Misconfigurations, such as exposing sensitive applications or internal services publicly, can lead to unauthorized access or data breaches. Regularly auditing and verifying the configuration of these ELBs ensures that only approved and secure endpoints are exposed, supporting compliance with frameworks like ISO 27001, SOC 2, and CIS AWS Foundations Benchmark.


Impact:
Positive Impact: Enhances network security posture by limiting external exposure, reducing the risk of attacks on internal resources.
Negative Impact: Requires periodic manual or automated review effort to maintain compliance.


Default Value:
By default, Elastic Load Balancers can be configured as Internet-facing or Internal. AWS does not automatically restrict or monitor which ELBs are public.


Pre-Requisite:

  • IAM permissions required:
    • elasticloadbalancing:DescribeLoadBalancers
    • elasticloadbalancing:DescribeLoadBalancerAttributes
    • elasticloadbalancing:DescribeListeners
  • CloudTrail and Config should be enabled to record ELB configuration changes.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to EC2 → Load Balancers.
  3. Review the list of Load Balancers.
  4. For each load balancer, check the Scheme attribute:
    • internet-facing indicates the load balancer is publicly accessible.
    • internal indicates it is private.
  5. Verify that each internet-facing load balancer is required for business or operational purposes.
  6. Confirm that security groups attached to the load balancer restrict inbound access to approved IPs or ports only.
  7. If unnecessary or misconfigured load balancers are found, mark them as non-compliant.


Implementation Plan

Using AWS Console:

  1. Go to the AWS Management Console → EC2 → Load Balancers.
  2. Select an internet-facing load balancer.
  3. Review the Listeners, Security Groups, and Target Groups associated with it.
  4. If the ELB should not be publicly accessible:
    • Delete the current Internet-facing ELB and recreate it as Internal,
      or
    • Modify routing/security groups to limit access to authorized IPs or services only.
  5. Enable AWS Config rule elbv2-internet-facing or use Trusted Advisor to continuously monitor internet-facing load balancers.
  6. Schedule periodic reviews (e.g., monthly) to validate all Internet-facing ELBs.


Backout Plan

Using AWS Console:

  1. If an Internet-facing ELB was incorrectly modified or deleted:
    • Recreate the ELB with its original configuration.
    • Restore backend target group and listener settings from previous configurations.
  2. Validate that it serves the intended applications correctly.
  3. Reapply appropriate security groups and access controls.


References: