iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that all Elastic Load Balancers (ELBs) — including Classic, Application (ALB), and Network (NLB) Load Balancers — are reviewed to identify which ones are internet-facing. Load balancers that are publicly accessible may unintentionally expose applications and services to the internet, increasing the attack surface. Identifying and restricting exposure to only necessary resources is a crucial step in securing AWS environments.

Rationale:

Internet-facing load balancers allow external traffic from the public internet to access backend resources. While necessary for public applications, this configuration should be limited to services that are intentionally public. Non-public (internal) services should be protected using internal load balancers, private subnets, and security group rules. Regularly auditing internet-facing ELBs helps prevent accidental exposure of sensitive systems and ensures compliance with the principle of least privilege in network access.

Impact:

• Positive Impact:Reduces the likelihood of unauthorized public access to internal resources.Supports network segmentation and the principle of least privilege.Enhances compliance with security frameworks (CIS, NIST, ISO 27001, SOC 2).
• Negative Impact:May require reconfiguration of applications currently using internet-facing load balancers for private communication.

Default Value:

By default, a load balancer can be created as either internet-facing or internal, based on the chosen configuration during setup. AWS does not automatically restrict public exposure.

Pre-Requisite:

• IAM permissions required:
  • elasticloadbalancing:DescribeLoadBalancers
  • ec2:DescribeSubnets
  • ec2:DescribeVpcs

Remediation

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to EC2 → Load Balancers.

3. Review the Scheme column for each load balancer:

   • internet-facing: Accessible from the public internet.

   • internal: Accessible only within the VPC.

4. Identify load balancers marked as internet-facing.

5. Verify that these are intended to be publicly accessible (e.g., web servers).

6. For any load balancer that should not be publicly accessible, proceed with remediation.

Implementation Plan

Using AWS Console:

1. Navigate to EC2 → Load Balancers.

2. Select the load balancer that should not be public.

3. Note its DNS name and Scheme (internet-facing).

4. To change the scheme to internal, you must recreate the load balancer:

   • Create a new internal load balancer.

   • Migrate target groups, listeners, and security group configurations.

   • Update DNS or routing configurations to point to the new internal load balancer.

   • Delete the old internet-facing load balancer.

Backout Plan

Using AWS Console:
If a newly created internal load balancer disrupts connectivity:

1. Revert DNS or routing to point to the previous internet-facing load balancer.

2. Verify application functionality.

3. Reassess network design before reattempting the migration.

References:

• AWS Elastic Load Balancing Documentation

• AWS CLI Command Reference – describe-load-balancers

• AWS VPC Security Best Practices