logo

Database

Lack of protection against deletion - ELB

Need

Enable Deletion Protection for Elastic Load Balancing

Context

• Usage of Terraform for Infrastructure as Code (IaC)

• Usage of aws_elb for managing and configuring Amazon Web Services Elastic Load Balancer

Description

1. Non compliant code

resource "aws_elb" "example" {
  name               = "example"
  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]

  listener {
    instance_port     = 80
    instance_protocol = "http"
    lb_protocol       = "http"...

The above Terraform code creates an Elastic Load Balancer (ELB) in AWS without the deletion protection feature enabled. The ELB is configured to listen on port 80 and distribute incoming traffic among instances in the availability zones "us-west-2a", "us-west-2b", and "us-west-2c". The vulnerability lies in the absence of the `enable_deletion_protection` attribute in the resource block. This means that the ELB can be deleted accidentally or maliciously without any safeguards. In a real-world scenario, this could lead to potential downtime or data loss if the ELB is unintentionally removed. This is particularly concerning in a production environment where high availability and data integrity are crucial. In order to mitigate this vulnerability, it is recommended to enable deletion protection for the ELB. This can be done by adding the `enable_deletion_protection` attribute to the resource block and setting it to `true`. This will prevent the ELB from being deleted from the AWS Management Console, CLI, or API until the deletion protection is explicitly removed.

2. Steps

• Identify the AWS Elastic Load Balancer (ELB) resource in your infrastructure code.

• Check if the 'deletion_protection' attribute is present in the 'attributes' section of the ELB resource.

• If the 'deletion_protection' attribute is not present, add it to the ELB resource configuration.

• Set the value of the 'deletion_protection' attribute to 'true' to enable deletion protection.

• Save and apply the updated infrastructure code to provision or update the ELB resource with deletion protection enabled.

3. Secure code example

resource "aws_elb" "example" {
  name               = "example"
  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
  deletion_protection = true

  listener {
    instance_port     = 80
    lb_port           = 80...

The above code is a fixed version of the vulnerable code. The vulnerability was due to the lack of deletion protection in the Elastic Load Balancer (ELB) configuration. In the fixed code, the `deletion_protection` attribute has been added to the `aws_elb` resource configuration. This attribute is set to `true`, which means that deletion protection is enabled for this ELB. With deletion protection enabled, the ELB cannot be deleted by any user, including the root user. This prevents accidental deletion of the ELB, which could lead to service disruption. To apply this fix, replace the existing `aws_elb` resource configuration in your Terraform code with the fixed code, then run `terraform apply` to update the ELB resource. Remember to always enable deletion protection for your ELBs to ensure the stability and reliability of your services.