Rule: ELB Application Load Balancer Deletion Protection Enabled
This rule ensures that deletion protection is enabled for ELB application load balancers.
| Rule | ELB application load balancer deletion protection should be enabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
ELB Application Load Balancer Deletion Protection for FedRAMP Low Revision 4
Deletion protection in AWS Elastic Load Balancing (ELB) Application Load Balancer (ALB) is a feature designed to prevent the load balancer from being accidentally deleted. This functionality is particularly important in environments requiring robust security controls, like those adhering to Federal Risk and Authorization Management Program (FedRAMP) Low Revision 4 requirements.
Rule Description
For compliance with FedRAMP Low Revision 4, it is required that deletion protection be enabled on all ELB Application Load Balancers. This ensures that critical components of the infrastructure cannot be removed without deliberate action, thereby reducing the risk of inadvertent outages and potential security breaches.
Troubleshooting Steps
If deletion protection is not enabled on your Application Load Balancer, follow these steps to rectify the issue:
- 1.
Check Deletion Protection Status: Use AWS Management Console or AWS CLI to check whether deletion protection is enabled.
AWS CLI command to describe attributes of an ALB:
aws elbv2 describe-load-balancer-attributes --load-balancer-arn [your-load-balancer-arn] - 2.
Evaluate Results: In the output, look for the
attribute to check if its value is"deletion_protection.enabled"
. If not, proceed to enable deletion protection.true
Enable Deletion Protection
Using AWS Console:
- 1.Navigate to the Amazon EC2 console.
- 2.In the navigation pane, under Load Balancing, select Load Balancers.
- 3.Select the load balancer to modify.
- 4.Choose the Description tab, then find Attributes.
- 5.Click Edit attributes.
- 6.Select Enable next to Deletion protection.
- 7.Choose Save changes.
Using AWS CLI:
To enable deletion protection using the AWS CLI, utilize the following command replacing
[your-load-balancer-arn]aws elbv2 modify-load-balancer-attributes --load-balancer-arn [your-load-balancer-arn] --attributes Key=deletion_protection.enabled,Value=true
Step by Step Guide for Remediation
To remediate a load balancer that does not have deletion protection enabled, follow these steps:
- 1.Identify which load balancers do not have deletion protection enabled.
- 2.Enable Deletion Protection on those load balancers using the AWS Console or AWS CLI commands provided above.
- 3.Verify that deletion protection is enabled by re-checking the load balancer attributes.
Ensure that these steps are implemented as part of the configuration management process for all load balancers within your organization to maintain continuous compliance with FedRAMP Low Revision 4 requirements.
By performing these tasks, you can help improve your system's security posture while also enhancing SEO by offering valuable, concise, and actionable information for users seeking to meet FedRAMP standards.