in src/packs/nist-800-53-r4.ts [423:488]
private checkELB(node: CfnResource): void {
this.applyRule({
info: 'The ALB does not have invalid HTTP header dropping enabled - (Control ID: AC-17(2)).',
explanation:
'Ensure that your Application Load Balancers (ALB) are configured to drop http headers. Because sensitive data can exist, enable encryption in transit to help protect that data.',
level: NagMessageLevel.ERROR,
rule: ALBHttpDropInvalidHeaderEnabled,
node: node,
});
this.applyRule({
info: "The ALB's HTTP listeners are not configured to redirect to HTTPS - (Control IDs: AC-17(2), SC-7, SC-8, SC-8(1), SC-13, SC-23).",
explanation:
'To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.',
level: NagMessageLevel.ERROR,
rule: ALBHttpToHttpsRedirection,
node: node,
});
this.applyRule({
info: 'The ALB is not associated with AWS WAFv2 web ACL - (Control IDs: SC-7, SI-4(a)(b)(c)).',
explanation:
'A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment.',
level: NagMessageLevel.ERROR,
rule: ALBWAFEnabled,
node: node,
});
this.applyRule({
info: 'The CLB does not utilize an SSL certificate provided by ACM (Amazon Certificate Manager) - (Control IDs: AC-17(2), SC-7, SC-8, SC-8(1), SC-13).',
explanation:
'Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources.',
level: NagMessageLevel.ERROR,
rule: ELBACMCertificateRequired,
node: node,
});
this.applyRule({
info: 'The CLB does not balance traffic between at least 2 Availability Zones - (Control IDs: SC-5, CP-10).',
explanation:
'The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone.',
level: NagMessageLevel.ERROR,
rule: ELBCrossZoneLoadBalancingEnabled,
node: node,
});
this.applyRule({
info: 'The ALB, NLB, or GLB does not have deletion protection enabled - (Control IDs: CM-2, CP-10).',
explanation:
'Use this feature to prevent your load balancer from being accidentally or maliciously deleted, which can lead to loss of availability for your applications.',
level: NagMessageLevel.ERROR,
rule: ELBDeletionProtectionEnabled,
node: node,
});
this.applyRule({
info: 'The ELB does not have logging enabled - (Control ID: AU-2(a)(d)).',
explanation:
"Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to The ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.",
level: NagMessageLevel.ERROR,
rule: ELBLoggingEnabled,
node: node,
});
this.applyRule({
info: 'The CLB does not restrict its listeners to only the SSL and HTTPS protocols - (Control IDs: AC-17(2), SC-7, SC-8, SC-8(1), SC-23).',
explanation:
'Because sensitive data can exist, enable encryption in transit to help protect that data.',
level: NagMessageLevel.ERROR,
rule: ELBTlsHttpsListenersOnly,
node: node,
});
}