Profile Applicability:

  • Level 1

Description:

Classic Load Balancers (CLBs) in AWS provide a service for distributing incoming application or network traffic across multiple targets, such as EC2 instances, to ensure high availability. AWS Shield Advanced provides protection against Distributed Denial of Service (DDoS) attacks. This SOP ensures that Classic Load Balancers are protected by AWS Shield Advanced, securing them from potential attacks and ensuring high availability for your services.

Rationale:

  • Security: Classic Load Balancers can be vulnerable to DDoS attacks if not adequately protected. AWS Shield Advanced offers an additional layer of security to detect and mitigate DDoS attacks, ensuring your services remain available and protected.

  • Availability: DDoS attacks can disrupt services, causing delays or complete downtime. With Shield Advanced enabled, Classic Load Balancers can automatically mitigate such attacks, keeping your applications available to users.

  • Compliance: Various security standards and compliance frameworks (e.g., PCI-DSS, SOC 2) require the protection of public-facing resources like load balancers from DDoS attacks.

  • Best Practices: Enabling Shield Advanced is a best practice for securing Classic Load Balancers, especially for production systems or public-facing applications that are critical to business operations.

Impact:

Pros:

  • Enhanced Protection: AWS Shield Advanced offers enhanced DDoS protection for Classic Load Balancers, ensuring that traffic is routed securely even during large-scale attacks.

  • Improved Availability: Shield Advanced automatically mitigates DDoS attacks, keeping services available and reducing downtime or performance degradation.

  • Compliance: Helps meet compliance requirements related to DDoS protection for critical AWS resources.

Cons:

  • Cost: AWS Shield Advanced incurs additional costs compared to the basic AWS Shield service. Enabling it for Classic Load Balancers adds extra operational costs.

  • Configuration: Requires manual configuration to enable Shield Advanced protection for Classic Load Balancers, which may add complexity to the environment.

Default Value:

By default, Classic Load Balancers are not protected by AWS Shield Advanced. Protection must be explicitly enabled.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • shield:DescribeProtection

    • shield:CreateProtection

  • AWS CLI installed and configured.

  • AWS Shield Advanced subscription is active.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

  3. In the Load Balancing section, select Load balancers.

  4. Choose the Classic Load Balancer to check.

  5. Under the Description tab, look for the DDoS Protection section to see if AWS Shield Advanced protection is enabled.

    • If AWS Shield Advanced protection is enabled, it will be listed.

    • If not, proceed to enable it as outlined in the Implementation Steps below.

Using AWS CLI:

  1. To describe the Classic Load Balancer and check if it has AWS Shield Advanced protection enabled, run the following command:

    aws elb describe-load-balancers --query 'LoadBalancerDescriptions[*].{Name:LoadBalancerName,Protection:SecurityGroups}'

  2. Review the output and check if there is any mention of Shield Advanced protection. If Shield Advanced protection is not enabled, proceed to enable it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to EC2.

  2. In the Load Balancers section, select the Classic Load Balancer you want to protect.

  3. In the Description section, click on Edit under Security Settings or DDoS Protection.

  4. Enable AWS Shield Advanced by associating the Classic Load Balancer with an AWS WAF Web ACL linked to Shield Advanced protection.

  5. Save the changes to activate AWS Shield Advanced protection.

Using AWS CLI:

  1. To enable AWS Shield Advanced protection for the Classic Load Balancer, run the following command:

    aws shield create-protection --name <protection-name> --resource-arn <load-balancer-arn>

  2. To verify that AWS Shield Advanced protection is successfully enabled, run

    aws shield describe-protection --protection-id <protection-id>

  3. Ensure that the Classic Load Balancer is protected by Shield Advanced.

Backout Plan:

Using AWS Console:

  1. If enabling Shield Advanced protection causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Shield, select the Protection you want to disable, and click Delete Protection.

  3. Confirm the deletion and verify that the Classic Load Balancer is no longer protected by AWS Shield Advanced.

Using AWS CLI:

  1. To remove Shield Advanced protection from the Classic Load Balancer, run:

    aws shield delete-protection --protection-id <PROTECTION_ID>

  2. Verify that the Classic Load Balancer is no longer protected:

    aws shield describe-protection --protection-id <PROTECTION_ID>


References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.