ELB With Deletion Protection Not Enabled

Overview

Elastic Load Balancers (ELBs) are a critical component in distributing incoming application traffic across multiple targets, such as EC2 instances. However, if deletion protection is not enabled on an ELB, it can be inadvertently or maliciously deleted, potentially causing significant downtime and loss of service availability.

Risks

1. Accidental Deletion

  • Without deletion protection, administrators or automated processes might unintentionally delete the ELB, disrupting the load distribution and affecting application availability.

2. Malicious Actions

  • Insecure or overly permissive IAM policies could allow unauthorized users to delete the ELB, leading to a denial of service (DoS).

3. Service Downtime

  • The absence of a load balancer causes requests to fail or overload individual backend instances, leading to performance degradation or outages.

4. Compliance Violations

  • Certain regulations and organizational policies mandate safeguards to prevent the unintentional removal of critical infrastructure. Non-compliance can lead to penalties or reputational damage.

Solutions

Enable Deletion Protection on ELBs

  • AWS allows enabling deletion protection on ELBs to prevent accidental or unauthorized deletion.

Steps to Enable Deletion Protection:

  1. Open the AWS Management Console.

  2. Navigate to the EC2 Dashboard and select Load Balancers.

  3. Choose the target ELB from the list.

  4. Under the Attributes tab, locate the Deletion Protection option.

  5. Set Deletion Protection to Enabled and save the changes.

Using AWS CLI:

aws elb modify-load-balancer-attributes --load-balancer-name <load-balancer-name> --load-balancer-attributes '{"DeletionProtection": {"Enabled": true}}'

Using Terraform:

resource "aws_elb" "example" {
  name = "example-load-balancer"

  enable_deletion_protection = true
}

Implement Least Privilege for IAM Policies

  • Restrict permissions for modifying or deleting ELBs to specific roles or users.

  • Use AWS Organizations SCPs (Service Control Policies) to enforce deletion protection globally.

Monitor ELB Configurations

  • Set up AWS Config rules or CloudTrail to monitor changes to ELB settings and alert if deletion protection is disabled.

Example AWS Config Rule:

{
  "ConfigRuleName": "elb-deletion-protection-check",
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "ELB_DELETION_PROTECTION_ENABLED"
  }
}

Regular Audits

  • Schedule periodic audits of your ELBs to verify deletion protection is enabled across all instances.

Conclusion

Enabling deletion protection on your ELBs is a simple yet effective way to safeguard against accidental or malicious deletion, ensuring continuous availability and compliance. Combining this with robust monitoring and IAM policies will significantly enhance your cloud infrastructure's resilience.

PreviousELB With Access Logs Not EnabledNextELBs Allow Clear Text (HTTP) Communication

Last updated

Was this helpful?