v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 12 Application Load Balancers should be configured with defensive or strictest desync mitigation mode

Description

This control checks whether an Application Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if an Application Load Balancer is not configured with defensive or strictest desync mitigation mode.

HTTP Desync issues can lead to request smuggling and make applications vulnerable to request queue or cache poisoning. In turn, these vulnerabilities can lead to credential hijacking or execution of unauthorized commands. Application Load Balancers configured with defensive or strictest desync mitigation mode protect your application from security issues that may be caused by HTTP Desync.

Remediation

To update desync mitigation mode of an Application Load Balancer, see Desync mitigation mode in the User Guide for Application Load Balancers.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_elb_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_elb_12 --share

SQL

This control uses a named query:

elb_application_lb_desync_mitigation_mode

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = data_integrity
foundational_security_item_id = elb_12
plugin = aws
service = AWS/ELB