Skip to content

Application load balancer has unrestricted security group attached

Description

A publicly accessible load balancer is vulnerable to brute force login attempts and subsequent data leak/loss. Unauthorized access attempts should be restricted to minimize security risks.

We recommend your load balancer can communicate with registered targets on both the listener port and the health check port. Whenever you add a listener to your load balancer or update the health check port for a target group used by the load balancer to route requests, you must verify that the security groups associated with the load balancer allow traffic on the new port in both directions. If they do not, you can edit the rules for the currently associated security groups or associate different security groups with the load balancer.

Fix - Runtime

AWS Console

To restrict access to any publicly accessible load balancer, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EC2 console.
  3. On the navigation pane, under LOAD BALANCING, select Load Balancers.
  4. Select the load balancer.
  5. Naviagate to the Description tab.
  6. Navigate to the Security section, select Edit security groups.
  7. To associate a security group with your load balancer, select it. To remove a security group from your load balancer, clear it.
  8. Click Save.

CLI Command

To associate a security group with a load balancer, use the following command:

aws elbv2 set-security-groups 
--load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:
loadbalancer/app/my-load-balancer/50dc6c495c0c9188 
--security-groups sg-5943793c