Control: ELB application load balancers should be configured with defensive or strictest desync mitigation mode
Description
This control checks whether an Application Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if an Application Load Balancer is not configured with defensive or strictest desync mitigation mode.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.elb_application_lb_desync_mitigation_modeSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.elb_application_lb_desync_mitigation_mode --shareSQL
This control uses a named query:
with app_lb_desync_mitigation_mode as ( select arn, l ->> 'Key', l ->> 'Value' as v from aws_ec2_application_load_balancer, jsonb_array_elements(load_balancer_attributes) as l where l ->> 'Key' = 'routing.http.desync_mitigation_mode')select a.arn as resource, case when m.v = any(array['defensive', 'strictest']) then 'ok' else 'alarm' end as status, title || ' has ' || m.v || ' desync mitigation mode.' as reason , region, account_idfrom aws_ec2_application_load_balancer as a left join app_lb_desync_mitigation_mode as m on a.arn = m.arn;