Classic Load Balancers should have connection draining enabled¶
This control checks whether Classic Load Balancers have connection draining enabled.
How to fix¶
Attribute connection_draining of aws_elb must be true.
Implementation options¶
Choose the option that matches how you manage Terraform. All options satisfy this control.
Option 1: Open source module (terraform-aws-modules)¶
If you use terraform-aws-modules/elb/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "elb" {
source = "terraform-aws-modules/elb/aws"
version = ">=4.0.0,<5.0.0"
health_check = {
healthy_threshold = 2
interval = 30
target = "HTTP:80/"
timeout = 5
unhealthy_threshold = 2
}
listener = [
{
instance_port = 80
instance_protocol = "HTTP"
lb_port = 80
lb_protocol = "HTTP"
}
]
name = "my-elb"
security_groups = ["sg-12345678"]
subnets = ["subnet-12345678"]
connection_draining = true
}
Option 2: Terraform AWS provider resources¶
If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_elb.
resource "aws_elb" "this" {
availability_zones = ["us-east-1a", "us-east-1b"]
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
connection_draining = true
}
Which option should I choose?
- Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
- Open source module (
terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready. - Terraform AWS provider resources: manage Terraform resources directly.
Tool mappings¶
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf (CTF) Control:
ec2_classic_lb_connection_draining_enabledPowerpipe Control:
aws_compliance.control.ec2_classic_lb_connection_draining_enabled