Control: 14 Classic Load Balancers should be configured with defensive or strictest desync mitigation mode
Description
This control checks whether a Classic Load Balancer is configured with defensive or strictest desync mitigation mode. This control will fail if the Classic Load Balancer is not configured with defensive or strictest desync mitigation mode.
HTTP Desync issues can lead to request smuggling and make applications vulnerable to request queue or cache poisoning. In turn, these vulnerabilities can lead to credential hijacking or execution of unauthorized commands. Classic Load Balancers configured with defensive or strictest desync mitigation mode protect your application from security issues that may be caused by HTTP Desync.
Remediation
To update desync mitigation mode of a Classic Load Balancer, see Modify desync mitigation mode in the User Guide for Classic Load Balancers.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_elb_14Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_elb_14 --shareSQL
This control uses a named query:
with app_lb_desync_mitigation_mode as ( select arn, a ->> 'Key', a ->> 'Value' as v from aws_ec2_classic_load_balancer, jsonb_array_elements(additional_attributes) as a where a ->> 'Key' = 'elb.http.desyncmitigationmode')select c.arn as resource, case when m.v = any(array['defensive', 'strictest']) then 'ok' else 'alarm' end as status, title || ' has ' || m.v || ' desync mitigation mode.' as reason , region, account_idfrom aws_ec2_classic_load_balancer as c left join app_lb_desync_mitigation_mode as m on c.arn = m.arn;