Best practice rules for Elastic Load Balancing
Elastic Load Balancers (ELB) distributes all incoming system traffic automatically between your EC2 instances. This service enables high availability and fault tolerance by evenly distributing the incoming load between your virtual machines.
Trend Micro Cloud One™ – Conformity monitors Elastic Load Balancing with the following rules:
- App-Tier ELB Listener Security
Ensure app-tier ELB listener uses a secure HTTPS or SSL protocol.
- App-Tier ELB Security Policy
Ensure app-tier ELBs use the latest predefined security policies.
- App-Tier ELBs Health Check
Ensure app tier Elastic Load Balancer has application layer health check configured.
- Classic Load Balancer
Ensure HTTP/HTTPS applications are using Application Load Balancer instead of Classic Load Balancer for cost and web traffic distribution optimization.
- Configure HTTP Desync Mitigation Mode for Classic Load Balancers
Ensure that the suitable Desync Mitigation mode is configured for your Classic Load Balancers.
- ELB Access Log
Ensure ELB access logging is enabled for security, troubleshooting, and statistical analysis purposes
- ELB Connection Draining Enabled
Ensure connection draining is enabled for all load balancers.
- ELB Cross-Zone Load Balancing Enabled
Ensure Cross-Zone Load Balancing is enabled for all load balancers. Also select at least two subnets in different availability zones to provide higher availability.
- ELB Insecure SSL Ciphers
Ensure ELBs don't use insecure SSL ciphers.
- ELB Insecure SSL Protocols
Ensure ELBs don't use insecure SSL protocols.
- ELB Instances Distribution Across AZs
Ensure even distribution of backend instances registered to an ELB across Availability Zones.
- ELB Listener Security
Ensure ELB listener uses a secure HTTPS or SSL protocol.
- ELB Minimum Number Of EC2 Instances
Ensure there is a minimum number of two healthy backend instances associated with each ELB.
- ELB Security Group
Check your Elastic Load Balancer (ELB) security layer for at least one valid security group that restricts access only to the ports defined in the load balancer listener's configuration
- ELB Security Policy
Ensure ELBs use the latest predefined security policies.
- Idle Elastic Load Balancer
Identify idle Elastic Load Balancers (ELBs) and terminate them in order to optimize AWS costs.
- Internet Facing ELBs
Ensure Amazon internet-facing ELBs/ALBs are regularly reviewed for security purposes.
- Unused Elastic Load Balancers
Identify unused Elastic Load Balancers, and delete them to help lower the cost of your monthly AWS bill.
- Web-Tier ELB Listener Security
Ensure web-tier ELB listener uses a secure HTTPS or SSL protocol.
- Web-Tier ELB Security Policy
Ensure web-tier ELBs use the latest predefined security policies.
- Web-Tier ELBs Health Check
Ensure web tier Elastic Load Balancer has application layer health check configured.