Terraform Deletion Protection Disabled

Description

Detects AWS Elastic Load Balancers (ELB) that do not have deletion protection enabled. Deletion protection is a critical security feature that prevents accidental or unauthorized deletion of load balancers, and having it disabled could lead to service disruption if the ELB is accidentally deleted.

Weakness:

258 - Lack of protection against deletion - ELB

Category: Functionality Abuse

Detection Strategy

• Identifies AWS Load Balancer (aws_lb) resource blocks in Terraform configuration files

• Checks if the deletion_protection attribute is either missing or explicitly set to false

• Reports a security finding when an ELB resource is found without deletion protection enabled

Vulnerable code example

resource "aws_lb" "example" {
  name               = "example-lb"
  internal           = false
  load_balancer_type = "application"
  # Security vulnerability: Deletion protection disabled, exposing LB to accidental deletion
  enable_deletion_protection = false
}

✅ Secure code example

resource "aws_lb" "example" {
  name               = "example-lb"
  internal           = false
  load_balancer_type = "application"
  # Enable deletion protection to prevent accidental removal
  enable_deletion_protection = true
  # Add security group to control access
  security_groups    = [aws_security_group.lb_sg.id]...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.