logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Lack of protection against deletion - ELB - Cloudformation

Need

Enable Deletion Protection for Elastic Load Balancing

Context

  1. Usage of CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS::ElasticLoadBalancing::LoadBalancer for managing and configuring AWS Elastic Load Balancer

Description

Insecure Code Example

Resources:
  MyLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      LoadBalancerName: example
      AvailabilityZones:
        - us-west-2a
        - us-west-2b
        - us-west-2c
      Listeners:
        - InstancePort: 80
          InstanceProtocol: HTTP
          LoadBalancerPort: 80
          Protocol: HTTP

The above CloudFormation template creates an Elastic Load Balancer (ELB) in AWS without enabling the deletion protection feature. The ELB is configured to listen on port 80 and distribute incoming traffic among availability zones "us-west-2a", "us-west-2b", and "us-west-2c". The vulnerability lies in the absence of the `DeletionProtection` attribute in the resource properties. This allows the ELB to be deleted accidentally or intentionally without restriction. In a production environment, the deletion of an ELB can result in service outages or loss of availability. To prevent this, it is recommended to enable deletion protection by including the `DeletionProtection` property set to `true` in the resource definition.

Steps

  1. Identify the AWS Elastic Load Balancer (ELB) resource in your CloudFormation template.
  2. Check if the `DeletionProtection` property is present.
  3. If not, add the `DeletionProtection` property to the resource definition.
  4. Set the value to `true` to enable deletion protection.
  5. Deploy or update the stack to apply the changes.

Secure Code Example

Resources:
  MyLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      LoadBalancerName: example
      AvailabilityZones:
        - us-west-2a
        - us-west-2b
        - us-west-2c
      DeletionProtection: true
      Listeners:
        - InstancePort: 80
          InstanceProtocol: HTTP
          LoadBalancerPort: 80
          Protocol: HTTP

This CloudFormation template includes deletion protection for the ELB by setting the `DeletionProtection` property to `true`. With this configuration, the ELB cannot be deleted through the AWS Management Console, CLI, or API unless the protection is explicitly removed. Enabling deletion protection is a recommended best practice to prevent accidental or unauthorized deletions that could disrupt services.

References

  • 258 - Lack of protection against deletion - ELB

    • Last updated

    2025/04/04