Lack of protection against deletion - ELB - Aws

Lack of protection against deletion - ELB - Aws

Need

Enable Deletion Protection for Elastic Load Balancing

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of aws_elb for managing and configuring Amazon Web Services Elastic Load Balancer

Description

Non compliant code

        resource "aws_elb" "example" {
  name               = "example"
  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]

  listener {
    instance_port     = 80
    instance_protocol = "http"
    lb_port           = 80
    lb_protocol       = "http"
  }
}
        
        

The above Terraform code creates an Elastic Load Balancer (ELB) in AWS without the deletion protection feature enabled. The ELB is configured to listen on port 80 and distribute incoming traffic among instances in the availability zones "us-west-2a", "us-west-2b", and "us-west-2c".

The vulnerability lies in the absence of the enable_deletion_protection attribute in the resource block. This means that the ELB can be deleted accidentally or maliciously without any safeguards.

In a real-world scenario, this could lead to potential downtime or data loss if the ELB is unintentionally removed. This is particularly concerning in a production environment where high availability and data integrity are crucial.

In order to mitigate this vulnerability, it is recommended to enable deletion protection for the ELB. This can be done by adding the enable_deletion_protection attribute to the resource block and setting it to true. This will prevent the ELB from being deleted from the AWS Management Console, CLI, or API until the deletion protection is explicitly removed.

Steps

  • Identify the AWS Elastic Load Balancer (ELB) resource in your infrastructure code.
  • Check if the 'deletion_protection' attribute is present in the 'attributes' section of the ELB resource.
  • If the 'deletion_protection' attribute is not present, add it to the ELB resource configuration.
  • Set the value of the 'deletion_protection' attribute to 'true' to enable deletion protection.
  • Save and apply the updated infrastructure code to provision or update the ELB resource with deletion protection enabled.

Compliant code

        resource "aws_elb" "example" {
  name               = "example"
  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
  deletion_protection = true

  listener {
    instance_port     = 80
    instance_protocol = "http"
    lb_port           = 80
    lb_protocol       = "http"
  }
}
        
        

The above code is a fixed version of the vulnerable code. The vulnerability was due to the lack of deletion protection in the Elastic Load Balancer (ELB) configuration.

In the fixed code, the deletion_protection attribute has been added to the aws_elb resource configuration. This attribute is set to true, which means that deletion protection is enabled for this ELB.

With deletion protection enabled, the ELB cannot be deleted by any user, including the root user. This prevents accidental deletion of the ELB, which could lead to service disruption.

To apply this fix, replace the existing aws_elb resource configuration in your Terraform code with the fixed code, then run terraform apply to update the ELB resource.

Remember to always enable deletion protection for your ELBs to ensure the stability and reliability of your services.

References