- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing V2
- ELBv2 Elastic Load Balancing Deletion Protection
Ensure that the Deletion Protection feature is enabled for all your Application and Network Load Balancers in order to protect them from being accidentally deleted.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Reliability With Deletion Protection safety feature enabled, you have the guarantee that your Application and Network Load Balancers can't be accidentally deleted and make sure that your load-balanced environment remains safe.
Audit
To determine if your Application and Network Load Balancers are protected against accidental deletion, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type, choose application, select Type again and choose network to list the Application and Network Load Balancers available in the current AWS region.
05 Select the Application/Network Load Balancer that you want to examine.
06 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.
07 In the Attributes section, check the Deletion protection attribute value. If the Deletion protection attribute value is set to Disabled, the Deletion Protection safety feature is not enabled for the selected Application/Network Load Balancer.
08 Repeat steps no. 5 – 7 for each Application and Network Load Balancer deployed within the current AWS region.
09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Application and Network Load Balancers available in the selected AWS region:
aws elbv2 describe-load-balancers --region us-east-1 --query 'LoadBalancers[?(Type == `application`) || (Type == `network`)].LoadBalancerArn'
02 The command output should return an array with the requested resource ARN(s):
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd", "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcd1234abcd1234" ]
03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Application/Network Load Balancer that you want to examine as the identifier parameter and custom query filters, to describe the Deletion Protection feature status, available for the selected load balancer:
aws elbv2 describe-load-balancer-attributes --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd --query 'Attributes[?(Key == `deletion_protection.enabled`)].Value | []'
04 The command output should return the requested configuration status ("true"for enabled, "false" for disabled):
[ "false" ]
If the describe-load-balancer-attributes command output returns false, as shown in the output example above, the Deletion Protection safety feature is not enabled for the selected Application/Network Load Balancer.
05 Repeat steps no. 3 and 4 for each Application and Network Load Balancer deployed in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To enable the Deletion Protection feature for your Application and Network Load Balancers, perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"ApplicationLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "cc-app-load-balancer",
"Type": "application",
"Scheme": "internet-facing",
"IpAddressType": "ipv4",
"Subnets": [
"subnet-01234abcd1234abcd",
"subnet-0abcd1234abcd1234"
],
"SecurityGroups": [
"sg-0abcd1234abcd1234",
"sg-01234abcd1234abcd"
],
"LoadBalancerAttributes": [
{
"Key": "deletion_protection.enabled",
"Value": "true"
}
]
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: ApplicationLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: cc-app-load-balancer Type: application Scheme: internet-facing IpAddressType: ipv4 Subnets: - subnet-01234abcd1234abcd - subnet-0abcd1234abcd1234 SecurityGroups: - sg-0abcd1234abcd1234 - sg-01234abcd1234abcd LoadBalancerAttributes: - Key: deletion_protection.enabled Value: 'true'
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
profile = "default"
region = "us-east-1"
}
resource "aws_lb" "application-load-balancer" {
name = "cc-app-load-balancer"
load_balancer_type = "application"
internal = false
ip_address_type = "ipv4"
subnets = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
security_groups = ["sg-0abcd1234abcd1234","sg-01234abcd1234abcd"]
enable_deletion_protection = true
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type, choose application, select Type again and choose network to list the Application and Network Load Balancers available in the current AWS region.
05 Select the Application/Network Load Balancer that you want to reconfigure.
06 Select the Description tab and click on the Edit attributes button available in the Attributes section.
07 In the Edit load balancer attributes configuration box, select Enable next to Deletion protection to enable the Deletion Protection safety feature for the selected Application/Network Load Balancer. Choose Save to apply the configuration changes.
08 Repeat steps no. 5 – 7 for each Application and Network Load Balancer that you want to reconfigure, available within the current AWS region.
09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Application/Network Load Balancer that you want to reconfigure as the identifier parameter, to enable the Deletion Protection safety feature for the selected load balancer:
aws elbv2 modify-load-balancer-attributes --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd --attributes Key=deletion_protection.enabled,Value=true
02 The command output should return the configuration attributes available for the modified load balancer:
{
"Attributes": [
{
"Value": "true",
"Key": "deletion_protection.enabled"
},
{
"Value": "false",
"Key": "access_logs.s3.enabled"
},
{
"Value": "60",
"Key": "idle_timeout.timeout_seconds"
},
{
"Value": "",
"Key": "access_logs.s3.prefix"
},
{
"Value": "",
"Key": "access_logs.s3.bucket"
}
]
}
03 Repeat steps no. 1 and 2 for each Application and Network Load Balancer that you want to reconfigure, available in the selected AWS region.
04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Elastic Load Balancing features
- Application Load Balancers
- AWS Command Line Interface (CLI) Documentation
- describe-load-balancers
- describe-load-balancer-attributes
- modify-load-balancer-attributes