Profile Applicability:

  • Level 1

Description:

Elastic Load Balancing (ELB) provides a highly available and scalable load balancing service for distributing incoming application traffic across multiple targets like EC2 instances, containers, and IP addresses. Deletion Protection prevents accidental deletion of an ELB by enabling a setting that requires an additional step (disabling deletion protection) before the ELB can be deleted. This SOP ensures that Deletion Protection is enabled for Elastic Load Balancers (ALBs, NLBs, CLBs) to avoid accidental loss of critical resources.

Rationale:

  • Accidental Deletion Protection: Enabling deletion protection ensures that ELBs are not accidentally removed, which could result in application downtime or traffic disruption.

  • Operational Stability: Protecting load balancers from accidental deletion helps maintain application availability and uptime.

  • Compliance: For organizations with strict availability and operational continuity requirements, deletion protection ensures critical resources are protected.

Impact:

Pros:

  • Enhanced Resource Protection: Helps prevent the accidental deletion of important infrastructure, ensuring business continuity.

  • Operational Control: Provides an extra layer of control to avoid unintended disruptions to services.

  • Security: Reduces the risk of malicious or unauthorized actions leading to the deletion of critical services.

Cons:

  • Management Overhead: While deletion protection prevents accidental deletion, it can add complexity when managing resources, especially when intentional deletions are needed.

  • Inconvenience During Maintenance: If you need to delete a load balancer for maintenance or reconfiguration, you must first disable deletion protection.

Default Value:

By default, Elastic Load Balancers (ALBs, NLBs, and CLBs) do not have deletion protection enabled, and deletion is allowed unless explicitly configured.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • elasticloadbalancing:ModifyLoadBalancerAttributes

  • AWS CLI installed and configured.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing under Services.

  3. In the Load Balancers section, select the Elastic Load Balancer (ALB, NLB, CLB) you want to check.

  4. Under the Description tab, look for the Deletion Protection setting:

    • If Deletion Protection is enabled, the setting will be displayed as True.

    • If Deletion Protection is not enabled, it will be displayed as False.

Using AWS CLI:

  1. To describe the Elastic Load Balancer and check if Deletion Protection is enabled, run:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application` || Type==`network`].{Name:LoadBalancerName,DeletionProtection:DeletionProtection}'

  2. Review the output to verify whether Deletion Protection is enabled for the ELB.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Elastic Load Balancing.

  2. In the Load Balancers section, select the Elastic Load Balancer you want to configure.

  3. Under the Description tab, click on Edit for Deletion Protection.

  4. Enable Deletion Protection by setting it to Enabled.

  5. Save the changes to apply deletion protection.

Using AWS CLI:

  1. To enable Deletion Protection on the ALB or NLB, run:

    aws elbv2 modify-load-balancer-attributes \
      --load-balancer-arn <load-balancer-arn> \
      --attributes Key=deletion_protection.enabled,Value=true

  1. To verify that Deletion Protection is enabled, run:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application` || Type==`network`].{Name:LoadBalancerName,DeletionProtection:DeletionProtection}'

Backout Plan:

Using AWS Console:

  1. If enabling Deletion Protection causes issues or you no longer require it, sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing, select the Load Balancer, and go to the Description tab.

  3. Click Edit and uncheck the Deletion Protection option.

  4. Save the changes and verify that Deletion Protection has been disabled.

Using AWS CLI:

  1. To disable Deletion Protection, run:

    aws elbv2 modify-load-balancer-attributes --load-balancer-arn <LOAD_BALANCER_ARN> --attributes Key=deletion_protection.enabled,Value=false

  2. Verify that Deletion Protection is disabled:

    aws elbv2 describe-load-balancers --load-balancer-arn <LOAD_BALANCER_ARN>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.