in src/packs/pci-dss-321.ts [388:445]
private checkELB(node: CfnResource): void {
this.applyRule({
info: 'The ALB does not have invalid HTTP header dropping enabled - (Control IDs: 4.1, 8.2.1).',
explanation:
'Ensure that your Application Load Balancers (ALB) are configured to drop http headers. Because sensitive data can exist, enable encryption in transit to help protect that data.',
level: NagMessageLevel.ERROR,
rule: ALBHttpDropInvalidHeaderEnabled,
node: node,
});
this.applyRule({
info: "The ALB's HTTP listeners are not configured to redirect to HTTPS - (Control IDs: 2.3, 4.1, 8.2.1).",
explanation:
'To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. Because sensitive data can exist, enable encryption in transit to help protect that data.',
level: NagMessageLevel.ERROR,
rule: ALBHttpToHttpsRedirection,
node: node,
});
this.applyRule({
info: 'The ALB is not associated with AWS WAFv2 web ACL - (Control ID: 6.6).',
explanation:
'A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment.',
level: NagMessageLevel.ERROR,
rule: ALBWAFEnabled,
node: node,
});
this.applyRule({
info: 'The CLB does not utilize an SSL certificate provided by ACM (Amazon Certificate Manager) - (Control IDs: 4.1, 8.2.1).',
explanation:
'Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources.',
level: NagMessageLevel.ERROR,
rule: ELBACMCertificateRequired,
node: node,
});
this.applyRule({
info: 'The ELB does not have logging enabled - (Control IDs: 10.1, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5.4).',
explanation:
"Elastic Load Balancing activity is a central point of communication within an environment. Ensure ELB logging is enabled. The collected data provides detailed information about requests sent to The ELB. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.",
level: NagMessageLevel.ERROR,
rule: ELBLoggingEnabled,
node: node,
});
this.applyRule({
info: 'The CLB does not restrict its listeners to only the SSL and HTTPS protocols - (Control IDs: 2.3, 4.1, 8.2.1).',
explanation:
'Ensure that your Classic Load Balancers (CLBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.',
level: NagMessageLevel.ERROR,
rule: ELBTlsHttpsListenersOnly,
node: node,
});
this.applyRule({
info: 'The ALB, NLB, or GLB listener does not utilize an SSL certificate provided by ACM (Amazon Certificate Manager) - (Control ID: 4.1).',
explanation:
'Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources.',
level: NagMessageLevel.ERROR,
rule: ELBv2ACMCertificateRequired,
node: node,
});
}