Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-terraform-aws-compliance
Overview
69Dashboards
357Benchmarks
357Queries
2Variables
GitHub

Control: ELB application load balancers should have drop invalid header fields configured

Description

Ensure that your application load balancers are configured to drop invalid header fields.

Usage

Run the control in your terminal:

powerpipe control run terraform_aws_compliance.control.elb_application_lb_drop_invalid_header_fields

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_aws_compliance.control.elb_application_lb_drop_invalid_header_fields --share

SQL

This control uses a named query:

select
  address as resource,
  case
    when (attributes_std ->> 'load_balancer_type') like any (array ['gateway', 'network']) then 'skip'
    when (attributes_std ->> 'drop_invalid_header_fields')::boolean and ((attributes_std ->> 'load_balancer_type') is null or (attributes_std ->> 'load_balancer_type') = 'application')
    then 'ok'
    else 'alarm'
  end status,
  split_part(address, '.', 2) || case
    when (attributes_std ->> 'load_balancer_type') like any (array ['gateway', 'network']) then ' load balancer is of ' || (attributes_std ->> 'load_balancer_type') || ' type'
    when (attributes_std ->> 'drop_invalid_header_fields')::boolean
    and ((attributes_std ->> 'load_balancer_type') is null or (attributes_std ->> 'load_balancer_type') = 'application')
    then ' configured to drop invalid http header field(s)'
    else ' not configured to drop invalid http header field(s)'
    end || '.' reason
  
  , path || ':' || start_line
from
  terraform_resource
where
  type in ('aws_lb', 'aws_alb');

Tags

category = Compliance
plugin = terraform
service = AWS/ELB