v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 4 Application load balancers should be configured to drop HTTP headers

Description

This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of routing.http.drop_invalid_header_fields.enabled is set to false.

By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks.

Remediation

To remediate this issue, configure your load balancer to drop invalid header fields.

To configure the load balancer to drop invalid header fields

  1. Open the Amazon EC2 console.
  2. In the navigation pane, choose Load balancers.
  3. Choose an Application Load Balancer.
  4. From Actions, choose Edit attributes.
  5. Under Drop Invalid Header Fields, choose Enable.
  6. Choose Save.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_elb_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_elb_4 --share

SQL

This control uses a named query:

elb_application_lb_drop_http_headers

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = network_security
foundational_security_item_id = elb_4
plugin = aws
service = AWS/ELB