Links

AWS ElasticLoadBalancingV2

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes

Secure Response Headers

AWS::ElasticLoadBalancingV2::Listener

Alpn Policy
Terraform

AWS::ElasticLoadBalancingV2::LoadBalancer

Drop_invalid_header_fields-Enabled
Terraform

Destination Authentication

Design Guidance:

AWS::ElasticLoadBalancingV2::Listener

Certificates-Certificate Arn
Terraform

AWS::ElasticLoadBalancingV2::ListenerCertificate

Certificates-Certificate Arn
Terraform
Listener Arn
Terraform

Input Validation

AWS::ElasticLoadBalancingV2::Listener

Authenticate Cognito Config-Authentication Request Extra Params
Terraform
Authenticate Oidc Config-Authentication Request Extra Params
Terraform

Session Authentication

AWS::ElasticLoadBalancingV2::Listener

Authenticate Cognito Config-On Unauthenticated Request
Terraform
Authenticate Cognito Config-Session Cookie Name
Terraform
Authenticate Oidc Config-On Unauthenticated Request
Terraform
Authenticate Oidc Config-Session Cookie Name
Terraform

AWS::ElasticLoadBalancingV2::ListenerRule

Authenticate Cognito Config-On Unauthenticated Request
Terraform
Authenticate Cognito Config-Session Cookie Name
Terraform
Authenticate Oidc Config-On Unauthenticated Request
Terraform
Authenticate Oidc Config-Session Cookie Name
Terraform

Session Limits

AWS::ElasticLoadBalancingV2::Listener

Authenticate Cognito Config-Session Timeout
Terraform
Authenticate Oidc Config-Session Timeout
Terraform

AWS::ElasticLoadBalancingV2::ListenerRule

Authenticate Cognito Config-Session Timeout
Terraform
Authenticate Oidc Config-Session Timeout
Terraform

Identification and Authentication

Design Guidance:

AWS::ElasticLoadBalancingV2::Listener

Authenticate Cognito Config-User Pool Arn
Terraform
Authenticate Cognito Config-User Pool Domain
Terraform
Authenticate Oidc Config-Authorization Endpoint
Terraform
Authenticate Oidc Config-Client Id
Terraform
Authenticate Oidc Config-Client Secret
Terraform
Authenticate Oidc Config-Issuer
Terraform
Authenticate Oidc Config-Token Endpoint
Terraform
Authenticate Oidc Config-User Info Endpoint
Terraform
Default Actions-Type
Terraform

AWS::ElasticLoadBalancingV2::ListenerRule

Authenticate Cognito Config-User Pool Arn
Terraform
Authenticate Cognito Config-User Pool Client Id
Terraform
Authenticate Cognito Config-User Pool Domain
Terraform
Authenticate Oidc Config-Authorization Endpoint
Terraform
Authenticate Oidc Config-Client Secret
Terraform
Authenticate Oidc Config-Issuer
Terraform
Authenticate Oidc Config-Token Endpoint
Terraform
Authenticate Oidc Config-User Info Endpoint
Terraform
Actions-Type
Terraform

Source Authentication

AWS::ElasticLoadBalancingV2::Listener

Authenticate Cognito Config-User Pool Client Id
Terraform

AWS::ElasticLoadBalancingV2::ListenerRule

Authenticate Oidc Config-Client Id
Terraform

Output Validation

AWS::ElasticLoadBalancingV2::Listener

Fixed Response Config-Content Type
Terraform
Fixed Response Config-Message Body
Terraform
Fixed Response Config-Status Code
Terraform

AWS::ElasticLoadBalancingV2::ListenerRule

Fixed Response Config-Content Type
Terraform
Fixed Response Config-Message Body
Terraform
Fixed Response Config-Status Code
Terraform

Load Balancing

Design Guidance:

AWS::ElasticLoadBalancingV2::Listener

Default Actions-Target Group Arn
Terraform
Load Balancer Arn
Terraform
Port
Terraform

AWS::ElasticLoadBalancingV2::ListenerRule

Actions-Target Group Arn
Terraform
Listener Arn
Terraform

AWS::ElasticLoadBalancingV2::TargetGroup

Port
Terraform
Algorithm-Type
Terraform
Target Type
Terraform
Targets-Port
Terraform

AWS::ElasticLoadBalancingV2::LoadBalancer

Type
Terraform

TLS

Design Guidance:

AWS::ElasticLoadBalancingV2::Listener

Protocol
Terraform
SSL Policy
Terraform

AWS::ElasticLoadBalancingV2::ListenerRule

Redirect Config-Protocol
Terraform

AWS::ElasticLoadBalancingV2::TargetGroup

Health Check Protocol
Terraform
Protocol
Terraform

Redirect To TLS

AWS::ElasticLoadBalancingV2::ListenerRule

Redirect Config-Port
Terraform

Design for High Availability

Design Guidance:

AWS::ElasticLoadBalancingV2::TargetGroup

Health Check Enabled
Terraform
Health Check Interval Seconds
Terraform
Health Check Path
Terraform
Health Check Port
Terraform
Health Check Timeout Seconds
Terraform
Healthy Threshold Count
Terraform
Matcher-HTTP Code
Terraform
Targets-Id
Terraform
Unhealthy Threshold Count
Terraform

AWS::ElasticLoadBalancingV2::LoadBalancer

Deletion_protection-Enabled
Terraform

Asset Inventory

Design Guidance:

AWS::ElasticLoadBalancingV2::TargetGroup

Name
Terraform
Tags
Terraform

AWS::ElasticLoadBalancingV2::LoadBalancer

Name
Terraform
Tags
Terraform

Configure Connection Draining

Design Guidance:

AWS::ElasticLoadBalancingV2::TargetGroup

Deregistration_delay-Timeout_seconds
Terraform

Session Binding

Design Guidance:

AWS::ElasticLoadBalancingV2::TargetGroup

Stickiness-Enabled
Terraform
Stickiness-Type
Terraform

Managed Inspection Points

AWS::ElasticLoadBalancingV2::TargetGroup

Proxy_protocol_v2-Enabled
Terraform

Subnet Isolation

Design Guidance:

AWS::ElasticLoadBalancingV2::TargetGroup

VPC Id
Terraform

AWS::ElasticLoadBalancingV2::LoadBalancer

Subnet Mappings
Terraform
Subnet Mappings-Allocation Id
Terraform
Subnet Mappings-Private Ipv4address
Terraform
Subnet Mappings-Subnet Id
Terraform

Logging

Design Guidance:

AWS::ElasticLoadBalancingV2::LoadBalancer

Key-Access_logs
Terraform
S3-Enabled
Terraform
S3-Bucket
Terraform
S3-Prefix
Terraform

Network Isolation and Segregation

Design Guidance:

AWS::ElasticLoadBalancingV2::LoadBalancer

Scheme
Terraform
Subnets
Terraform

Firewalls

Design Guidance:

AWS::ElasticLoadBalancingV2::LoadBalancer

Security Groups
Terraform