Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: ELB load balancers should prohibit public access

Description

An internet facing load balancer has a publicly resolvable DNS name, so it can route requests from clients over the internet to the EC2 instances that are registered with the load balancer.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.elb_application_classic_network_lb_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.elb_application_classic_network_lb_prohibit_public_access --share

SQL

This control uses a named query:

with all_lb_details as (
  select
    arn,
    scheme,
    title,
    region,
    account_id,
    tags,
    _ctx
  from
    aws_ec2_application_load_balancer
  union
  select
    arn,
    scheme,
    title,
    region,
    account_id,
    tags,
    _ctx
  from
    aws_ec2_network_load_balancer
  union
  select
    arn,
    scheme,
    title,
    region,
    account_id,
    tags,
    _ctx
  from
  aws_ec2_classic_load_balancer
)
select
  arn as resource,
  case
    when scheme = 'internet-facing' then 'alarm'
    else 'ok'
  end as status,
  case
    when scheme = 'internet-facing' then title || ' publicly accessible.'
    else title|| ' not publicly accessible.'
  end as reason
  
  , region, account_id
from
  all_lb_details;

Tags

category = Compliance
plugin = aws
service = AWS/ELB