Best practice rules for Elastic Load Balancing V2
Trend Micro Cloud One™ – Conformity monitors Elastic Load Balancing V2 with the following rules:
- Configure HTTP Desync Mitigation Mode for Application Load Balancers
Ensure that the suitable Desync Mitigation mode is configured for your Application Load Balancers.
- Configure Multiple Availability Zones for Gateway Load Balancers
Ensure that Amazon Gateway Load Balancers are using Multi-AZ configurations.
- Drop Invalid Header Fields for Application Load Balancers
Ensure that Drop Invalid Header Fields feature is enabled for your Application Load Balancers to remove non-standard headers.
- ELBv2 ALB Listener Security
Ensure ELBv2 ALBs are using a secure protocol.
- ELBv2 ALB Security Group
Ensure ELBv2 load balancers have secure and valid security groups.
- ELBv2 ALB Security Policy
Ensure that Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.
- ELBv2 Access Log
Ensure that Amazon ALBs have Access Logging feature enabled for security, troubleshooting and statistical analysis purposes.
- ELBv2 Elastic Load Balancing Deletion Protection
Ensure ELBv2 Load Balancers have Deletion Protection feature enabled in order to protect them from being accidentally deleted.
- ELBv2 Minimum Number of EC2 Target Instances
Ensure there is a minimum number of two healthy target instances associated with each AWS ELBv2 load balancer.
- ELBv2 NLB Listener Security
Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS.
- Enable Amazon WAF Integration for Application Load Balancers
Use Amazon WAF to protect Application Load Balancers from common web exploits.
- Enable Cross-Zone Load Balancing
Ensure fault tolerance for your Amazon Gateway Load Balancers by enabling Cross-Zone Load Balancing.
- Enable Deletion Protection
Ensure that Deletion Protection is enabled for Amazon Gateway Load Balancers.
- Enable HTTP to HTTPS Redirect for Application Load Balancers
Ensure that your Application Load Balancers have a rule that redirects HTTP traffic to HTTPS.
- Enable Least Outstanding Requests Algorithm
Ensure that Least Outstanding Requests (LOR) algorithm is enabled for your AWS Application Load Balancers (ALBs).
- Enable Support for HTTP/2
Ensure that HTTP/2 support is enabled for Amazon Application Load Balancers (ALBs).
- Enable Support for gRPC Protocol
Ensure that support for gRPC protocol is enabled for Application Load Balancers (ALBs).
- Enable TLS ALPN Policy for Network Load Balancers
Ensure that your AWS Network Load Balancers are using TLS ALPN policies.
- Internet Facing ELBv2 Load Balancers
Ensure Amazon internet-facing ELBv2 Load Balancers are regularly reviewed for security purposes.
- Network Load Balancer Security Policy
Ensure Amazon Network Load Balancers (NLBs) are using the latest recommended predefined security policy for TLS negotiation configuration.
- Unused ELBv2 Load Balancers
Identify unused ELBv2 Elastic Load Balancers, and delete them to help lower the cost of your monthly AWS bill.