ELB load balancers should prohibit public access¶
An internet facing load balancer has a publicly resolvable DNS name, so it can route requests from clients over the internet to the EC2 instances that are registered with the load balancer.
How to fix¶
Attribute internal of aws_lb must be true.
Implementation options¶
Choose the option that matches how you manage Terraform. All options satisfy this control.
Option 1: Open source module (terraform-aws-modules)¶
If you use terraform-aws-modules/alb/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = ">=10.0.0,<11.0.0"
access_logs = {
bucket = "example-bucket-abc123"
}
load_balancer_type = "application"
name = "abc123"
security_groups = ["sg-abc12345"]
subnets = ["subnet-abc123", "subnet-def456"]
target_groups = {
default = {
create_attachment = false
name_prefix = "def-"
port = 443
protocol = "HTTPS"
target_type = "ip"
}
}
vpc_id = "vpc-12345678"
internal = true
}
Option 2: Terraform AWS provider resources¶
If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_lb.
resource "aws_lb" "this" {
access_logs {
bucket = "pofix-example-lb-logs"
}
name = "pofix-example-lb"
subnets = ["subnet-abc123", "subnet-def456"]
internal = true
}
Which option should I choose?
- Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
- Open source module (
terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready. - Terraform AWS provider resources: manage Terraform resources directly.
Tool mappings¶
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf (CTF) Control:
elb_application_classic_network_lb_prohibit_public_accessPowerpipe Control:
aws_compliance.control.elb_application_classic_network_lb_prohibit_public_access