ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws): enhance metadata for elb service (#8935)

Browse Source 
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2025-11-12 16:46:12 +01:00
committed by GitHub
parent b46a8fd0ba
commit 8ee9454dbc
10 changed files with 182 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
prowler/CHANGELOG.md
View File

@@ -43,6 +43,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Update AWS FSx service metadata to new format [(#9006)](https://github.com/prowler-cloud/prowler/pull/9006)
- Update AWS Glacier service metadata to new format [(#9007)](https://github.com/prowler-cloud/prowler/pull/9007)
- Update oraclecloud analytics service metadata to new format [(#9114)](https://github.com/prowler-cloud/prowler/pull/9114)
- Update AWS ELB service metadata to new format [(#8935)](https://github.com/prowler-cloud/prowler/pull/8935)
- Update AWS CodeArtifact service metadata to new format [(#8850)](https://github.com/prowler-cloud/prowler/pull/8850)
- Rename OCI provider to oraclecloud with oci alias [(#9126)](https://github.com/prowler-cloud/prowler/pull/9126)
- Remove unnecessary tests for M365_PowerShell module [(#9204)](https://github.com/prowler-cloud/prowler/pull/9204)

35
prowler/providers/aws/services/elb/elb_connection_draining_enabled/elb_connection_draining_enabled.metadata.json
View File

@@ -1,31 +1,40 @@
{
"Provider": "aws",
"CheckID": "elb_connection_draining_enabled",
"CheckTitle": "Classic Load Balancer Connection Draining Enabled",
"CheckTitle": "Classic Load Balancer has connection draining enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability"
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Effects/Denial of Service"
],
"ServiceName": "elb",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsElbLoadBalancer",
"Description": "Checks if connection draining is enabled for Classic Load Balancers. Connection draining ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy, while keeping existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren't severed abruptly.",
"Risk": "Disabling connection draining can lead to abrupt connection termination for users, impacting the user experience and potentially causing application errors.",
"RelatedUrl": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html",
"Description": "**Classic Load Balancer** has **connection draining** enabled, so deregistering or unhealthy instances stop receiving new requests while existing connections are allowed to complete within the configured drain window.",
"Risk": "Without **connection draining**, instance removals or health failures can terminate in-flight requests, leading to partial transactions, broken sessions, and inconsistent application state. This reduces **availability** and can impact **data integrity** during deployments, scaling, or failover events.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://aws.amazon.com/blogs/aws/elb-connection-draining-remove-instances-from-service-with-care/",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-connection-draining-enabled.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-7",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html"
],
"Remediation": {
"Code": {
"CLI": "aws elb modify-load-balancer-attributes --load-balancer-name <my_load_balancer_name> --load-balancer-attributes '{'ConnectionDraining':{'Enabled':true,'Timeout':300}}'",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-7",
"Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-connection-draining-enabled.html#"
"CLI": "aws elb modify-load-balancer-attributes --load-balancer-name <example_resource_name> --load-balancer-attributes '{\"ConnectionDraining\":{\"Enabled\":true}}'",
"NativeIaC": "```yaml\n# CloudFormation: Enable connection draining on a Classic Load Balancer\nResources:\n <example_resource_name>:\n Type: AWS::ElasticLoadBalancing::LoadBalancer\n Properties:\n Listeners:\n - InstancePort: 80\n LoadBalancerPort: 80\n Protocol: HTTP\n AvailabilityZones:\n - us-east-1a\n ConnectionDrainingPolicy:\n Enabled: true # CRITICAL: turns on connection draining so in-flight requests complete\n # Timeout is optional; default 300s is used if omitted\n```",
"Other": "1. Open the EC2 console and go to Load Balancers (Classic)\n2. Select the Classic Load Balancer\n3. Choose the Attributes tab, then click Edit\n4. Check Enable connection draining (leave default timeout or set as needed)\n5. Click Save changes",
"Terraform": "```hcl\n# Terraform: Enable connection draining on a Classic Load Balancer\nresource \"aws_elb\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n availability_zones = [\"us-east-1a\"]\n\n listener {\n lb_port = 80\n lb_protocol = \"http\"\n instance_port = 80\n instance_protocol = \"http\"\n }\n\n connection_draining = true # CRITICAL: enables connection draining so existing connections complete\n # connection_draining_timeout can be omitted (defaults to 300s)\n}\n```"
},
"Recommendation": {
"Text": "Enable connection draining for all Classic Load Balancers. This ensures that existing connections are not abruptly terminated when instances are removed from the load balancer.",
"Url": ""
"Text": "Enable **connection draining** on all Classic Load Balancers and set a drain interval aligned to typical request latency. Coordinate autoscaling and deployments to allow graceful instance shutdowns. Monitor errors and retries to validate behavior and adjust the `timeout` conservatively to protect **availability** and **integrity**.",
"Url": "https://hub.prowler.com/check/elb_connection_draining_enabled"
}
},
"Categories": [],
"Categories": [
"resilience"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

37
prowler/providers/aws/services/elb/elb_cross_zone_load_balancing_enabled/elb_cross_zone_load_balancing_enabled.metadata.json
View File

@@ -1,29 +1,40 @@
{
"Provider": "aws",
"CheckID": "elb_cross_zone_load_balancing_enabled",
"CheckTitle": "Ensure Cross-Zone Load Balancing is Enabled for Classic Load Balancers (CLBs)",
"CheckType": [],
"CheckTitle": "Classic Load Balancer has cross-zone load balancing enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Effects/Denial of Service",
"Effects/Resource Consumption"
],
"ServiceName": "elb",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsElbLoadBalancer",
"Description": "Checks whether cross-zone load balancing is enabled for Classic Load Balancers (CLBs). Cross-zone load balancing ensures even distribution of traffic across all registered targets in all Availability Zones, improving fault tolerance and load distribution.",
"Risk": "If cross-zone load balancing is not enabled, traffic may not be evenly distributed across Availability Zones, leading to over-utilization of resources in certain zones and potential application performance degradation or outages.",
"RelatedUrl": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html",
"Description": "Classic Load Balancer with **cross-zone load balancing** distributes requests across registered targets in all enabled Availability Zones.\n\nThis evaluates whether that setting is `enabled`, instead of restricting distribution to targets within only the same zone.",
"Risk": "Without **cross-zone load balancing**, traffic can concentrate in one AZ due to DNS skew or uneven capacity, creating **hot spots**, timeouts, and latency. This degrades service **availability** and increases the chance of cascading failures during AZ impairment or instance loss.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-9",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-cross-zone-load-balancing-enabled.html"
],
"Remediation": {
"Code": {
"CLI": "aws elb modify-load-balancer-attributes --load-balancer-name <load-balancer-name> --load-balancer-attributes \"CrossZoneLoadBalancing={Enabled=true}\"",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-9",
"Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-cross-zone-load-balancing-enabled.html"
"CLI": "aws elb modify-load-balancer-attributes --load-balancer-name <load-balancer-name> --load-balancer-attributes \"{\\\"CrossZoneLoadBalancing\\\":{\\\"Enabled\\\":true}}\"",
"NativeIaC": "```yaml\n# CloudFormation: Enable cross-zone load balancing on a Classic Load Balancer\nResources:\n <example_resource_name>:\n Type: AWS::ElasticLoadBalancing::LoadBalancer\n Properties:\n CrossZone: true # Critical: enables cross-zone load balancing to pass the check\n Listeners:\n - LoadBalancerPort: 80\n InstancePort: 80\n Protocol: HTTP\n AvailabilityZones:\n - <example_az>\n```",
"Other": "1. Open the AWS EC2 console\n2. Go to Load Balancing > Load Balancers and select your Classic Load Balancer\n3. Open the Attributes tab and click Edit\n4. Enable Cross-zone load balancing\n5. Click Save changes",
"Terraform": "```hcl\n# Terraform: Enable cross-zone load balancing on a Classic Load Balancer\nresource \"aws_elb\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n listener {\n lb_port = 80\n lb_protocol = \"http\"\n instance_port = 80\n instance_protocol = \"http\"\n }\n\n availability_zones = [\"<example_az>\"]\n\n cross_zone_load_balancing = true # Critical: enables cross-zone load balancing to pass the check\n}\n```"
},
"Recommendation": {
"Text": "Enable cross-zone load balancing for Classic Load Balancers to ensure even traffic distribution and enhance fault tolerance across Availability Zones.",
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html"
"Text": "Set `cross-zone load balancing` to `enabled` on Classic Load Balancers and use at least two AZs.\n\nBalance capacity per AZ, enforce robust health checks with autoscaling, and design for **high availability** so load remains evenly distributed during demand spikes or partial AZ outages.",
"Url": "https://hub.prowler.com/check/elb_cross_zone_load_balancing_enabled"
}
},
"Categories": [],
"Categories": [
"resilience"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

31
prowler/providers/aws/services/elb/elb_desync_mitigation_mode/elb_desync_mitigation_mode.metadata.json
View File

@@ -1,28 +1,37 @@
{
"Provider": "aws",
"CheckID": "elb_desync_mitigation_mode",
"CheckTitle": "Classic Load Balancer should be configured with defensive or strictest desync mitigation mode",
"CheckTitle": "Classic Load Balancer desync mitigation mode is defensive or strictest",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Initial Access",
"TTPs/Defense Evasion"
],
"ServiceName": "elb",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:elasticloadbalancing:{region}:{account-id}:loadbalancer/{load-balancer-name}",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsElbLoadBalancer",
"Description": "This control checks whether a Classic Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if the Classic Load Balancer isn't configured with defensive or strictest desync mitigation mode.",
"Risk": "HTTP Desync issues can lead to request smuggling, making applications vulnerable to attacks such as request queue or cache poisoning, which could result in credential hijacking or unauthorized command execution.",
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/clb-desync-mode-check.html",
"Description": "**Classic Load Balancer** `desync_mitigation_mode` is evaluated to determine whether it is configured as **`defensive`** or **`strictest`**. Any other mode (such as `monitor`) is identified for attention.",
"Risk": "Without strict desync mitigation, **HTTP request smuggling** can occur, enabling:\n- Cache/queue poisoning (**integrity**)\n- Session hijacking and data exposure (**confidentiality**)\n- Unintended backend actions and abuse (**availability**)",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-desync-mitigation-mode.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-14",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/enable-configure-desync-mitigation-mode.html",
"https://support.icompaas.com/support/solutions/articles/62000233337-ensure-classic-load-balancer-is-configured-with-defensive-or-strictest-desync-mitigation-mode"
],
"Remediation": {
"Code": {
"CLI": "aws elb modify-load-balancer-attributes --load-balancer-name <load-balancer-name> --load-balancer-attributes '{\"DesyncMitigationMode\":\"defensive\"}'",
"CLI": "aws elb modify-load-balancer-attributes --load-balancer-name <load-balancer-name> --load-balancer-attributes '{\"AdditionalAttributes\":[{\"Key\":\"elb.http.desyncmitigationmode\",\"Value\":\"defensive\"}]}'",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-14",
"Terraform": ""
"Other": "1. Open the AWS Management Console and go to EC2\n2. Under Load Balancing, select Load Balancers\n3. Select your Classic Load Balancer\n4. On the Attributes tab, click Edit\n5. Set Desync mitigation mode to Defensive or Strictest\n6. Click Save changes",
"Terraform": "```hcl\nresource \"aws_elb\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n availability_zones = [\"<example_az>\"]\n\n listener {\n instance_port = 80\n instance_protocol = \"http\"\n lb_port = 80\n lb_protocol = \"http\"\n }\n\n desync_mitigation_mode = \"defensive\" # Critical: sets CLB desync mitigation to defensive to pass the check\n}\n```"
},
"Recommendation": {
"Text": "Configure the Classic Load Balancer with defensive or strictest desync mitigation mode to prevent security issues caused by HTTP desync.",
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-desync-mitigation-mode.html#update-desync-mitigation-mode"
"Text": "Set CLB desync mitigation to **`defensive`** or, where compatible, **`strictest`**. Validate in staging to avoid client breakage. Apply **defense in depth**: enforce strict header handling, pair with WAF controls, and monitor non-compliant request indicators.",
"Url": "https://hub.prowler.com/check/elb_desync_mitigation_mode"
}
},
"Categories": [],

30
prowler/providers/aws/services/elb/elb_insecure_ssl_ciphers/elb_insecure_ssl_ciphers.metadata.json
View File

@@ -1,28 +1,38 @@
{
"Provider": "aws",
"CheckID": "elb_insecure_ssl_ciphers",
"CheckTitle": "Check if Elastic Load Balancers have insecure SSL ciphers.",
"CheckTitle": "Elastic Load Balancer HTTPS listeners, if present, use the ELBSecurityPolicy-TLS-1-2-2017-01 policy",
"CheckType": [
"Data Protection"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
],
"ServiceName": "elb",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsElbLoadBalancer",
"Description": "Check if Elastic Load Balancers have insecure SSL ciphers.",
"Risk": "Using insecure ciphers could affect privacy of in transit information.",
"Description": "Elastic Load Balancer HTTPS listeners are assessed for use of a **strong TLS policy**. Listeners associated with `ELBSecurityPolicy-TLS-1-2-2017-01` are considered to negotiate only modern protocols and ciphers, avoiding legacy SSL/TLS and weak suites.",
"Risk": "Legacy TLS or weak ciphers allow downgrades and man-in-the-middle decryption or tampering. Attackers can capture credentials, inject responses, and pivot, undermining data-in-transit **confidentiality** and **integrity**, and risking **availability** through failed handshakes.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-security-policy.html",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html"
],
"Remediation": {
"Code": {
"CLI": "aws elb set-load-balancer-policies-of-listener --load-balancer-name <lb_name> --load-balancer-port 443 --policy-names ELBSecurityPolicy-TLS-1-2-2017-01",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-security-policy.html",
"Terraform": "https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_43#terraform"
"NativeIaC": "```yaml\n# CloudFormation: Classic ELB with TLS 1.2-only security policy on HTTPS listener\nResources:\n <example_resource_name>:\n Type: AWS::ElasticLoadBalancing::LoadBalancer\n Properties:\n AvailabilityZones:\n - <example_az>\n Listeners:\n - LoadBalancerPort: 443\n InstancePort: 443\n Protocol: HTTPS\n InstanceProtocol: HTTPS\n SSLCertificateId: <example_certificate_arn>\n PolicyNames:\n - ELBSecurityPolicy-TLS-1-2-2017-01 # Critical: attach TLS 1.2-only policy to the HTTPS listener\n Policies:\n - PolicyName: ELBSecurityPolicy-TLS-1-2-2017-01 # Critical: create policy referencing the predefined TLS 1.2 policy\n PolicyType: SSLNegotiationPolicyType\n Attributes:\n - Name: Reference-Security-Policy\n Value: ELBSecurityPolicy-TLS-1-2-2017-01 # Critical: enforce TLS 1.2-only\n```",
"Other": "1. Open the AWS Management Console and go to EC2\n2. In the left menu, under Load Balancing, click Load Balancers\n3. Select your Classic Load Balancer\n4. On the Listeners tab, click Manage listeners (or Edit)\n5. Select the HTTPS (port 443) listener and under Security policy choose ELBSecurityPolicy-TLS-1-2-2017-01\n6. Click Save changes",
"Terraform": "```hcl\n# Create and attach TLS 1.2-only policy to a Classic ELB HTTPS listener\nresource \"aws_load_balancer_policy\" \"<example_resource_name>\" {\n load_balancer_name = \"<example_resource_name>\"\n policy_name = \"ELBSecurityPolicy-TLS-1-2-2017-01\" # Critical: policy named as required by the check\n policy_type_name = \"SSLNegotiationPolicyType\"\n\n policy_attributes {\n name = \"Reference-Security-Policy\"\n value = \"ELBSecurityPolicy-TLS-1-2-2017-01\" # Critical: reference the predefined TLS 1.2 policy\n }\n}\n\nresource \"aws_load_balancer_listener_policy\" \"<example_resource_name>\" {\n load_balancer_name = \"<example_resource_name>\"\n load_balancer_port = 443\n policy_names = [aws_load_balancer_policy.<example_resource_name>.policy_name] # Critical: attach policy to HTTPS listener\n}\n```"
},
"Recommendation": {
"Text": "Use a Security policy with ciphers that are as strong as possible. Drop legacy and insecure ciphers.",
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies"
"Text": "Standardize on ELB policies enforcing **TLS 1.2+** with modern AEAD ciphers; disable legacy protocols and weak suites. Enable server cipher order, retire outdated policies, and review regularly for crypto agility. Validate client compatibility, use strong certificates, and monitor negotiation results.",
"Url": "https://hub.prowler.com/check/elb_insecure_ssl_ciphers"
}
},
"Categories": [

31
prowler/providers/aws/services/elb/elb_internet_facing/elb_internet_facing.metadata.json
View File

@@ -1,31 +1,40 @@
{
"Provider": "aws",
"CheckID": "elb_internet_facing",
"CheckTitle": "Check for internet facing Elastic Load Balancers.",
"CheckTitle": "Elastic Load Balancer is not internet-facing",
"CheckType": [
"Data Protection"
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Effects/Data Exposure",
"TTPs/Initial Access"
],
"ServiceName": "elb",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsElbLoadBalancer",
"Description": "Check for internet facing Elastic Load Balancers.",
"Risk": "Publicly accessible load balancers could expose sensitive data to bad actors.",
"Description": "Elastic Load Balancers are evaluated for the `scheme` to determine whether they are **internet-facing** or internal, indicating if the endpoint is publicly reachable via a public DNS name.",
"Risk": "An unintended **internet-facing** load balancer exposes backends to the Internet, enabling reconnaissance, credential stuffing, and exploitation of app flaws. This can lead to data exposure (confidentiality), unauthorized changes (integrity), and **DDoS** or resource exhaustion (availability).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html",
"https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/internet-facing-load-balancers.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/internet-facing-load-balancers.html",
"Terraform": ""
"NativeIaC": "```yaml\n# CloudFormation: create an internal load balancer\nResources:\n <example_resource_name>:\n Type: AWS::ElasticLoadBalancingV2::LoadBalancer\n Properties:\n Scheme: internal # CRITICAL: makes the load balancer internal (not internet-facing)\n Subnets:\n - <example_resource_id>\n - <example_resource_id>\n SecurityGroups:\n - <example_resource_id>\n```",
"Other": "1. In AWS Console, go to EC2 > Load Balancers\n2. Click Create load balancer (Application or Network)\n3. Set Scheme to Internal\n4. Select at least two subnets and a security group; recreate listeners/target groups as needed\n5. Create the new load balancer and update DNS to its DNS name\n6. Delete the old internet-facing load balancer",
"Terraform": "```hcl\nresource \"aws_lb\" \"<example_resource_name>\" {\n internal = true # CRITICAL: sets scheme to internal so it's not internet-facing\n subnets = [\"<example_resource_id>\", \"<example_resource_id>\"]\n security_groups = [\"<example_resource_id>\"]\n}\n```"
},
"Recommendation": {
"Text": "Ensure the load balancer should be publicly accessible. If publicly exposed ensure a WAF ACL is implemented.",
"Url": "https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html"
"Text": "Use `internal` load balancers for private services and restrict exposure with **security groups**, subnets, and allowlists. For public endpoints, apply **defense in depth**: associate an **AWS WAF** web ACL (*when supported*), enforce **TLS**, least-privilege network rules, and consider **Shield** or rate limiting. Regularly review necessity of public access.",
"Url": "https://hub.prowler.com/check/elb_internet_facing"
}
},
"Categories": [],
"Categories": [
"internet-exposed"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

32
prowler/providers/aws/services/elb/elb_is_in_multiple_az/elb_is_in_multiple_az.metadata.json
View File

@@ -1,30 +1,38 @@
{
"Provider": "aws",
"CheckID": "elb_is_in_multiple_az",
"CheckTitle": "Ensure Classic Load Balancer is Configured Across Multiple Availability Zones",
"CheckType": [],
"CheckTitle": "Classic Load Balancer is in multiple Availability Zones",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Effects/Denial of Service"
],
"ServiceName": "elb",
"SubServiceName": "",
"ResourceIdTemplate": "arn:<partition>:elasticloadbalancing:<region>:<account-id>:loadbalancer/<load-balancer-name>",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsElbLoadBalancer",
"Description": "This check ensures that a Classic Load Balancer is configured to span at least the specified number of Availability Zones (AZs). The control fails if the Load Balancer does not span multiple AZs, which can lead to decreased availability and reliability in case of an AZ failure.",
"Risk": "A Classic Load Balancer configured in a single Availability Zone risks becoming a single point of failure. If the AZ fails, the load balancer will not be able to redirect traffic to other healthy targets, leading to potential service outages.",
"RelatedUrl": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/introduction.html#classic-load-balancer-overview",
"Description": "**Classic Load Balancer** spans at least the configured number of **Availability Zones**.\n\nThe evaluation identifies load balancers enabled in fewer AZs than the specified minimum.",
"Risk": "Operating in too few AZs makes the load balancer a **single point of failure**. An AZ outage or zonal degradation can cause **service unavailability**, dropped connections, and uneven capacity, undermining application **availability** and resilience and increasing recovery time.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/ec2-instances-distribution-across-availability-zones.html",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/introduction.html#classic-load-balancer-overview"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-10",
"Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/ec2-instances-distribution-across-availability-zones.html"
"NativeIaC": "```yaml\n# CloudFormation: Ensure CLB spans at least two Availability Zones by adding two subnets\nResources:\n <example_resource_name>:\n Type: AWS::ElasticLoadBalancing::LoadBalancer\n Properties:\n Subnets:\n - <example_subnet_id_a> # Critical: add a subnet in AZ A to ensure multiple AZs\n - <example_subnet_id_b> # Critical: add a subnet in a different AZ (>=2 AZs total)\n Listeners:\n - LoadBalancerPort: 80\n InstancePort: 80\n Protocol: HTTP\n```",
"Other": "1. Open the Amazon EC2 console and go to Load Balancers\n2. Select your Classic Load Balancer (type: classic)\n3. Choose Edit subnets (or the Subnets tab > Edit)\n4. Add a subnet from a different Availability Zone than the existing one (ensure at least two AZs)\n5. Click Save\n6. If your CLB is in EC2-Classic, use Edit Availability Zones instead and select an additional AZ, then Save",
"Terraform": "```hcl\n# Terraform: Ensure CLB spans at least two Availability Zones by adding two subnets\nresource \"aws_elb\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n subnets = [\n \"<example_subnet_id_a>\", # Critical: subnet in AZ A to ensure multiple AZs\n \"<example_subnet_id_b>\" # Critical: subnet in different AZ (>=2 AZs total)\n ]\n\n listener {\n lb_port = 80\n lb_protocol = \"http\"\n instance_port = 80\n }\n}\n```"
},
"Recommendation": {
"Text": "Distribute your Classic Load Balancer across multiple Availability Zones to improve redundancy and fault tolerance.",
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html"
"Text": "Design for **multi-AZ high availability**:\n- Enable at least `2` AZs per load balancer\n- Distribute targets evenly and use Auto Scaling across AZs\n- Enable **cross-zone load balancing** to smooth imbalances\n- Regularly test failover and health thresholds\n\nApply **fault isolation** and **defense in depth** principles.",
"Url": "https://hub.prowler.com/check/elb_is_in_multiple_az"
}
},
"Categories": [
"redundancy"
"resilience"
],
"DependsOn": [],
"RelatedTo": [],

31
prowler/providers/aws/services/elb/elb_logging_enabled/elb_logging_enabled.metadata.json
View File

@@ -1,32 +1,39 @@
{
"Provider": "aws",
"CheckID": "elb_logging_enabled",
"CheckTitle": "Check if Elastic Load Balancers have logging enabled.",
"CheckTitle": "Elastic Load Balancer has access logs to S3 configured",
"CheckType": [
"Logging and Monitoring"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "elb",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsElbLoadBalancer",
"Description": "Check if Elastic Load Balancers have logging enabled.",
"Risk": "If logs are not enabled monitoring of service use and threat analysis is not possible.",
"Description": "**Elastic Load Balancers** have **access logs** configured to deliver request metadata (client IPs, paths, status, TLS details) to **Amazon S3**",
"Risk": "Without **ELB access logs**, you lose **visibility** into edge traffic, reducing detection of reconnaissance, brute-force, and exploitation attempts. This hampers forensics and incident timelines, risking undetected data exfiltration (confidentiality), untraceable changes (integrity), and delayed response to outages or DDoS (availability).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticloadbalancing/latest/network/enable-access-logs.html",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ElasticBeanstalk/enable-access-logs.html",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html"
],
"Remediation": {
"Code": {
"CLI": "aws elb modify-load-balancer-attributes --load-balancer-name <lb_name> --load-balancer-attributes '{AccessLog:{Enabled:true,EmitInterval:60,S3BucketName:<bucket_name>}}'",
"NativeIaC": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_23#cloudformation",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-access-log.html",
"Terraform": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_23#terraform"
"CLI": "aws elb modify-load-balancer-attributes --load-balancer-name <lb_name> --load-balancer-attributes AccessLog={Enabled=true,S3BucketName=<bucket_name>}",
"NativeIaC": "```yaml\n# CloudFormation: Enable access logs for a Classic Load Balancer (CLB)\nResources:\n <example_resource_name>:\n Type: AWS::ElasticLoadBalancing::LoadBalancer\n Properties:\n Listeners:\n - LoadBalancerPort: 80\n InstancePort: 80\n Protocol: HTTP\n AvailabilityZones:\n - <example_resource_id>\n AccessLoggingPolicy: # CRITICAL: Enables S3 access logs\n Enabled: true # CRITICAL: Turn on access logging\n S3BucketName: <example_resource_name> # CRITICAL: S3 bucket to store logs\n```",
"Other": "1. In the AWS Console, go to EC2 > Load Balancers\n2. Select the load balancer and choose Edit attributes (or the Attributes tab)\n3. Turn on Access logs\n4. Enter the S3 URI (e.g., s3://<bucket_name>)\n5. Click Save",
"Terraform": "```hcl\n# Enable access logs for an ELBv2 load balancer (minimal)\nresource \"aws_lb\" \"<example_resource_name>\" {\n load_balancer_type = \"network\"\n subnets = [\"<example_resource_id>\", \"<example_resource_id>\"]\n\n access_logs { # CRITICAL: Enables S3 access logs\n bucket = \"<example_resource_name>\" # CRITICAL: S3 bucket for logs\n enabled = true # CRITICAL: Turn on access logging\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable ELB logging, create a log lifecycle and define use cases.",
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html"
"Text": "Enable **access logs** to Amazon S3 (`access_logs.s3.enabled=true`). Apply **least privilege** bucket policies, encrypt objects, and restrict read access. Define lifecycle retention and centralize analysis. Monitor for delivery failures and alert on anomalies. Standardize across all load balancers via IaC as part of **defense in depth**.",
"Url": "https://hub.prowler.com/check/elb_logging_enabled"
}
},
"Categories": [
"forensics-ready",
"logging"
],
"DependsOn": [],

30
prowler/providers/aws/services/elb/elb_ssl_listeners/elb_ssl_listeners.metadata.json
View File

@@ -1,28 +1,36 @@
{
"Provider": "aws",
"CheckID": "elb_ssl_listeners",
"CheckTitle": "Check if Elastic Load Balancers have SSL listeners.",
"CheckTitle": "Elastic Load Balancer has only HTTPS or SSL listeners",
"CheckType": [
"Data Protection"
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
"Effects/Data Exposure"
],
"ServiceName": "elb",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsElbLoadBalancer",
"Description": "Check if Elastic Load Balancers have SSL listeners.",
"Risk": "Clear text communication could affect privacy of information in transit.",
"Description": "**Elastic Load Balancers** are assessed for client-facing listener protocols. Only `HTTPS` or `SSL` are considered encrypted; any `HTTP` or `TCP` listener indicates plaintext between clients and the load balancer.",
"Risk": "Plaintext listeners enable network eavesdropping and content injection, compromising **confidentiality** and **integrity**. Attackers on public or untrusted paths can harvest credentials and session tokens or alter traffic via MITM, leading to data exposure and unauthorized access.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-listener-security.html",
"https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html"
],
"Remediation": {
"Code": {
"CLI": "aws elb create-load-balancer-listeners --load-balancer-name <lb_name> --listeners Protocol=HTTPS, LoadBalancerPort=443, InstanceProtocol=HTTP, InstancePort=80, SSLCertificateId=<certificate_arn>",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELB/elb-listener-security.html",
"Terraform": ""
"CLI": "aws elb delete-load-balancer-listeners --load-balancer-name <lb_name> --load-balancer-ports 80",
"NativeIaC": "```yaml\n# CloudFormation: Classic ELB with only encrypted (HTTPS) listener\nResources:\n <example_resource_name>:\n Type: AWS::ElasticLoadBalancing::LoadBalancer\n Properties:\n AvailabilityZones:\n - <example_az>\n Listeners:\n - Protocol: HTTPS # CRITICAL: enforce encrypted listener\n LoadBalancerPort: 443\n InstanceProtocol: HTTP\n InstancePort: 80\n SSLCertificateId: <certificate_arn> # CRITICAL: required for HTTPS termination\n```",
"Other": "1. In the AWS console, go to EC2 > Load Balancers (Classic)\n2. Select the load balancer and open the Listeners tab\n3. Click Edit and remove any listener with Protocol HTTP or TCP\n4. Add a listener with Protocol HTTPS (port 443) and select an SSL certificate\n5. Save changes",
"Terraform": "```hcl\n# Classic ELB with only encrypted (HTTPS) listener\nresource \"aws_elb\" \"<example_resource_name>\" {\n availability_zones = [\"<example_az>\"]\n\n listener {\n lb_port = 443\n lb_protocol = \"https\" # CRITICAL: enforce encrypted listener\n instance_port = 80\n instance_protocol = \"http\"\n ssl_certificate_id = \"<certificate_arn>\" # CRITICAL: required for HTTPS/SSL\n }\n}\n```"
},
"Recommendation": {
"Text": "Scan for Load Balancers with HTTP or TCP listeners and understand the reason for each of them. Check if the listener can be implemented as TLS instead..",
"Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html"
"Text": "Enforce **encryption in transit** by using only `HTTPS`/`TLS` listeners. Redirect `HTTP` to `HTTPS` and retire plaintext listeners. Use trusted certificates (e.g., ACM) and modern TLS policies; align with **zero trust** and **defense in depth**. *If needed*, use end-to-end TLS to targets and monitor certificate health.",
"Url": "https://hub.prowler.com/check/elb_ssl_listeners"
}
},
"Categories": [

29
prowler/providers/aws/services/elb/elb_ssl_listeners_use_acm_certificate/elb_ssl_listeners_use_acm_certificate.metadata.json
View File

@@ -1,28 +1,33 @@
{
"Provider": "aws",
"CheckID": "elb_ssl_listeners_use_acm_certificate",
"CheckTitle": "Check if Classic Load Balancers with SSL/HTTPS listeners use a certificate provided by AWS Certificate Manager (ACM).",
"CheckTitle": "Classic Load Balancer HTTPS/SSL listeners use ACM-issued certificates",
"CheckType": [
"Software and Configuration Checks/Vulnerabilities/NIST 800-53 Controls (USA)"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "elb",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:elasticloadbalancing:{region}:{account-id}:loadbalancer/{loadbalancer-name}",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsElbLoadBalancer",
"Description": "This control checks whether the Classic Load Balancer uses HTTPS/SSL certificates provided by AWS Certificate Manager (ACM). The control fails if the Classic Load Balancer does not use a certificate provided by ACM.",
"Risk": "If Classic Load Balancers are not using ACM certificates, it increases the risk of using self-signed or expired certificates, which can impact secure communication and lead to compliance issues.",
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/elb-acm-certificate-required.html",
"Description": "Classic Load Balancer HTTPS/SSL listeners use **AWS Certificate Manager** certificates that are **Amazon-issued** (certificate type `AMAZON_ISSUED`).",
"Risk": "Using imported or non Amazon-issued certificates reduces control over issuance and rotation, increasing chances of **expired or weak TLS**. This can trigger **service outages** and enable **man-in-the-middle** interception, compromising data **confidentiality** and **integrity**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-2",
"https://docs.aws.amazon.com/config/latest/developerguide/elb-acm-certificate-required.html"
],
"Remediation": {
"Code": {
"CLI": "aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name <load-balancer-name> --load-balancer-port <port> --ssl-certificate-id <certificate-id>",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-2",
"Terraform": ""
"CLI": "aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name <load-balancer-name> --load-balancer-port <port> --ssl-certificate-id <acm_certificate_arn>",
"NativeIaC": "```yaml\n# CloudFormation: Attach an Amazon-issued ACM cert to a CLB HTTPS/SSL listener\nResources:\n <example_resource_name>:\n Type: AWS::ElasticLoadBalancing::LoadBalancer\n Properties:\n AvailabilityZones:\n - <example_az>\n Listeners:\n - LoadBalancerPort: 443\n InstancePort: 443\n Protocol: HTTPS\n SSLCertificateId: <acm_certificate_arn> # critical: use Amazon-issued ACM certificate to pass ELB.2\n```",
"Other": "1. In the AWS Console, go to EC2 > Load Balancing > Load Balancers (Classic)\n2. Select the Classic Load Balancer\n3. Open the Listeners tab and choose the HTTPS/SSL listener\n4. Click Edit (or Change SSL certificate)\n5. Select an ACM certificate that is Amazon-issued (not imported)\n6. Save changes",
"Terraform": "```hcl\n# Terraform: Attach an Amazon-issued ACM cert to a CLB HTTPS/SSL listener\nresource \"aws_elb\" \"<example_resource_name>\" {\n availability_zones = [\"<example_az>\"]\n\n listener {\n lb_port = 443\n lb_protocol = \"https\"\n instance_port = 443\n instance_protocol = \"https\"\n ssl_certificate_id = \"<acm_certificate_arn>\" # critical: Amazon-issued ACM cert to satisfy ELB.2\n }\n}\n```"
},
"Recommendation": {
"Text": "Use AWS Certificate Manager (ACM) to manage SSL/TLS certificates for your Classic Load Balancer to ensure secure encryption of data in transit.",
"Url": "https://repost.aws/es/knowledge-center/associate-acm-certificate-alb-nlb"
"Text": "Standardize on **Amazon-issued ACM certificates** for CLB HTTPS/SSL listeners to ensure managed validation and **automatic renewal**.\n\nApply **least privilege** to certificate operations, automate rotation, and monitor certificate health as part of **defense in depth**.",
"Url": "https://hub.prowler.com/check/elb_ssl_listeners_use_acm_certificate"
}
},
"Categories": [