Best practice rules for Elastic Load Balancing
Elastic Load Balancers (ELB) distributes all incoming system traffic automatically between your EC2 instances. This service enables high availability and fault tolerance by evenly distributing the incoming load between your virtual machines.
Trend Micro Cloud One™ – Conformity monitors Elastic Load Balancing with the following rules:
- App-Tier ELB Listener Security
Ensure app tier ELB is using HTTPS/SSL listener.
- App-Tier ELB Security Policy
Ensure app tier ELB have the latest SSL security policy configured.
- App-Tier ELBs Health Check
Ensure app tier Elastic Load Balancer has application layer health check configured.
- Classic Load Balancer
Ensure HTTP/HTTPS applications are using Application Load Balancer instead of Classic Load Balancer for cost and web traffic distribution optimization.
- ELB Access Log
Ensure that your AWS Elastic Load Balancers use access logging to analyze traffic patterns and identify and troubleshoot security issues.
- ELB Connection Draining Enabled
With Connection Draining feature enabled, if an EC2 backend instance fails health checks the Elastic Load Balancer will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to complete for the duration of the configured timeout.
- ELB Cross-Zone Load Balancing Enabled
Ensure high availability for your ELBs by using Cross-Zone Load Balancing with multiple subnets in different AZs.
- ELB Insecure SSL Ciphers
Ensure your ELBs do not use insecure or deprecated SSL ciphers.
- ELB Insecure SSL Protocols
Ensure your ELBs do not use insecure SSL protocols.
- ELB Instances Distribution Across AZs
Ensure even distribution of backend instances registered to an ELB across Availability Zones.
- ELB Listener Security
Ensure that your AWS ELBs listeners are using a secure protocol (HTTPS or SSL).
- ELB Minimum Number Of EC2 Instances
Ensure there is a minimum number of two healthy backend instances associated with each ELB.
- ELB Security Group
Ensure there are valid security groups associated with your Elastic Load Balancer.
- ELB Security Policy
Ensure AWS ELBs are using the latest predefined security policies.
- Idle Elastic Load Balancer
Identify idle Elastic Load Balancers (ELBs) and terminate them in order to optimize AWS costs.
- Internet Facing ELBs
Ensure Amazon internet-facing ELBs/ALBs are regularly reviewed for security purposes (informational).
- Unused Elastic Load Balancers
Identify and remove any unused Elastic Load Balancers for cost optimization.
- Web-Tier ELB Listener Security
Ensure web tier ELB is using HTTPS/SSL listener.
- Web-Tier ELB Security Policy
Ensure web tier ELB have the latest SSL security policy configured.
- Web-Tier ELBs Health Check
Ensure web tier Elastic Load Balancer has application layer health check configured.