Benchmark: ELB
Description
This section contains recommendations for configuring ELB resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select ELB.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.all_controls_elbSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.all_controls_elb --shareControls
- Classic Load Balancers should have connection draining enabled
- ELB application and classic load balancer logging should be enabled
- ELB load balancers should prohibit public access
- ELB application, network, and gateway load balancers should span multiple availability zones
- ELB application load balancer deletion protection should be enabled
- ELB application load balancers should be configured with defensive or strictest desync mitigation mode
- ELB application load balancers should be configured to drop HTTP headers
- Application Load Balancer should be configured to drop invalid http headers
- ELB application load balancers secured listener certificate should not expire within next 30 days
- ELB application load balancers secured listener certificate should not expire within next 7 days
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- ELB application load balancers should have at least one outbound rule
- Application and Network Load Balancers with listeners should use recommended security policies
- ELB application and network load balancers should use listeners
- ELB application and network load balancers should only use SSL or HTTPS listeners
- Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit
- ELB classic load balancers should have cross-zone load balancing enabled
- ELB classic load balancers should be configured with defensive or strictest desync mitigation mode
- ELB classic load balancers should span multiple availability zones
- ELB classic load balancers should have at least one registered instance
- ELB classic load balancers should use SSL certificates
- ELB classic load balancers should only use SSL or HTTPS listeners
- ELB classic load balancers should have at least one inbound rule
- ELB classic load balancers should have at least one outbound rule
- ELB listeners should use secure SSL cipher
- ELB network load balancers should have TLS listener security policy configured
- ELB listeners SSL/TLS protocol version should be checked