Ensure that all Application Load Balancers (ALBs) available in your AWS account are associated with valid and secure security groups that restrict access only to the ports defined within the load balancers listeners configuration. This rule excludes ICMP configuration.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Having well-configured security groups attached to your ELBv2 load balancers can reduce substantially the risk of data loss and unauthorized access. Also, the security groups must be valid, because when a load balancer is created without specifying a security group, the ALB/NLB is automatically associated with the VPC’s default security group, which is considered invalid.
Audit
Case A: To determine if your ELBv2 load balancers are using insecure and invalid security groups, perform the following actions:
Remediation / Resolution
To replace any invalid/insecure security group associated with your Amazon ELBv2 load balancers, perform the following:
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Application Load Balancers
- Security groups for your Application Load Balancer
- AWS Command Line Interface (CLI) Documentation
- elbv2
- describe-load-balancers
- describe-listeners
- set-security-groups
- ec2
- create-security-group
- describe-security-groups
- authorize-security-group-ingress
- authorize-security-group-egress
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
ELBv2 ALB Security Group
Risk level: High