ELB Sensitive Port Is Exposed To Entire Network

  • Query id: 78055456-f670-4d2e-94d5-392d1cf4f5e4
  • Query name: ELB Sensitive Port Is Exposed To Entire Network
  • Platform: CloudFormation
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github

Description

The load balancer of the application with a sensitive port connection is exposed to the entire internet.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyLoadBalancer:
      Type: AWS::ElasticLoadBalancing::LoadBalancer
      Properties:
        AvailabilityZones:
        - "us-east-2a"
        CrossZone: true
        Scheme: internet-facing
        Listeners:
        - InstancePort: '80'
          InstanceProtocol: HTTP
          LoadBalancerPort: '443'
          Protocol: HTTPS
          PolicyNames:
          - My-SSLNegotiation-Policy
          SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
        HealthCheck:
          Target: HTTP:80/
          HealthyThreshold: '2'
          UnhealthyThreshold: '3'
          Interval: '10'
          Timeout: '5'
        SecurityGroups:
          - !Ref LBSecGroup
        Policies:
        - PolicyName: My-SSLNegotiation-Policy
          PolicyType: SSLNegotiationPolicyType
          Attributes:
          - Name: Reference-Security-Policy
            Value: ELBSecurityPolicy-TLS-1-2-2017-01
  LBSecGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http and ssh
        VpcId: my-vpc
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 50
          ToPort: 80
          CidrIp: 127.0.0.1/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 127.0.0.1/0
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
Postitive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  MySubnets:
    Description: "My subnet"
    Type: List<String>
Resources:
  ApplicationLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: ip-target-alb
      Subnets: !Ref MySubnets
      SecurityGroups:
        - !Ref ALBSecGroup
      Tags:
        - Key: Name
          Value: ip-target-alb
  ALBSecGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http and ssh
        VpcId: my-vpc
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 127.0.0.1/32
        - IpProtocol: tcp
          FromPort: 6379
          ToPort: 6379
          CidrIp: 127.0.0.1/0
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
  HTTPALBListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref ApplicationLoadBalancer
      Port: 80
      Protocol: HTTP
      DefaultActions:
          - Type: forward
            TargetGroupArn: !Ref IPTargetGroup
  IPTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
        VpcId: my-vpc
        Port: 80
        Protocol: HTTP
        TargetType: ip
        Matcher:
            HttpCode: '200'
        HealthCheckIntervalSeconds: 10
        HealthCheckPath: /health/check
        HealthCheckProtocol: HTTP
        HealthCheckTimeoutSeconds: 5
        HealthyThresholdCount: 2
        UnhealthyThresholdCount: 2
  TestListenerRule1:
    Type: "AWS::ElasticLoadBalancingV2::ListenerRule"
    Properties:
        Priority: 1
        ListenerArn: !Ref HTTPALBListener
        Conditions:
          - Field: "host-header"
            Values:
              - "test1.checkmarx.com"
        Actions:
          - Type: "forward"
            TargetGroupArn: !Ref IPTargetGroup
            Order: 1
            ForwardConfig:
                TargetGroups:
                  - TargetGroupArn: !Ref IPTargetGroup
                    Weight: 1
                TargetGroupStickinessConfig:
                    Enabled: false
Postitive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  MySubnet:
    Description: "My subnet"
    Type: List<String>
Resources:
  GatewayLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: my-gateway-load-balancer
      Scheme: internet-facing
      Type: gateway
      Subnets: !Ref MySubnet
  InstancesSecGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http and ssh
        VpcId: my-vpc
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 127.0.0.1/32
        - IpProtocol: tcp
          FromPort: 636
          ToPort: 636
          CidrIp: 127.0.0.1/0
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
  EC2Instance01:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.2xlarge
      SecurityGroups:
      - !Ref 'InstancesSecGroup'
      KeyName: my-rsa-key
      ImageId: ami-79fd7eee
  EC2Instance02:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.2xlarge
      SecurityGroups:
      - !Ref 'InstancesSecGroup'
      KeyName: my-rsa-key
      ImageId: ami-79fd7eee
  GatewayLoadBalancerTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: t10-networklb-target
      Port: 443
      Protocol: TCP
      VpcId: t10-vpc-id
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: '60'
      Targets:
      - Id: !Ref EC2Instance01
        Port: 443
      - Id: !Ref EC2Instance02
        Port: 443
      Tags:
        - Key: Name
          Value: t10-networklb-target
  GatewayLoadBalancerListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
      - Type: forward
        TargetGroupArn: !Ref GatewayLoadBalancerTargetGroup
      LoadBalancerArn: !Ref GatewayLoadBalancer
      Port: 443
      Protocol: TCP
  GatewayLoadBalancerListenerCert:
    Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
    Properties:
      Certificates:
        - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456....
      ListenerArn: !Ref GatewayLoadBalancerListener

Postitive test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  MySubnet:
    Description: "My subnet"
    Type: List<String>
Resources:
  NetworkLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: t10-networkloadbalancer
      Scheme: internet-facing
      Subnets: !Ref MySubnet
      Type: network
      Tags:
        - Key: Name
          Value: t10-networklb
  ELBInstanceSecGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http and ssh
        VpcId: my-vpc
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 81
          ToPort: 80
          CidrIp: 127.0.0.1/32
        - IpProtocol: tcp
          FromPort: 27017
          ToPort: 27018
          CidrIp: 127.0.0.1/0
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
  EC2Instance01:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.2xlarge
      SecurityGroups:
      - !Ref 'ELBInstanceSecGroup'
      KeyName: my-rsa-key
      ImageId: ami-79fd7eee
  EC2Instance02:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.2xlarge
      SecurityGroups:
      - !Ref 'ELBInstanceSecGroup'
      KeyName: my-rsa-key
      ImageId: ami-79fd7eee
  NetworkLoadBalancerTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: t10-networklb-target
      Port: 443
      Protocol: TCP
      VpcId: t10-vpc-id
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: '60'
      Targets:
      - Id: !Ref EC2Instance01
        Port: 443
      - Id: !Ref EC2Instance02
        Port: 443
      Tags:
        - Key: Name
          Value: t10-networklb-target
  NetworkLoadBalancerListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
      - Type: forward
        TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup
      LoadBalancerArn: !Ref NetworkLoadBalancer
      Port: 443
      Protocol: TCP
  NetworkLoadBalancerListenerCert:
    Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
    Properties:
      Certificates:
        - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456....
      ListenerArn: !Ref NetworkLoadBalancerListener
Postitive test num. 5 - json file
{
  "Resources": {
    "MyLoadBalancer": {
      "Properties": {
        "Scheme": "internet-facing",
        "Listeners": [
          {
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ]
          }
        ],
        "HealthCheck": {
          "HealthyThreshold": "2",
          "UnhealthyThreshold": "3",
          "Interval": "10",
          "Timeout": "5",
          "Target": "HTTP:80/"
        },
        "SecurityGroups": [
          "LBSecGroup"
        ],
        "Policies": [
          {
            "Attributes": [
              {
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ],
            "PolicyName": "My-SSLNegotiation-Policy",
            "PolicyType": "SSLNegotiationPolicyType"
          }
        ],
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true
      },
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer"
    },
    "LBSecGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http and ssh",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 50,
            "ToPort": 80,
            "CidrIp": "127.0.0.1/0"
          },
          {
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22,
            "CidrIp": "127.0.0.1/0"
          }
        ],
        "SecurityGroupEgress": [
          {
            "FromPort": 22,
            "ToPort": 22,
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp"
          }
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z"
}
Postitive test num. 6 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Parameters": {
    "MySubnets": {
      "Description": "My subnet",
      "Type": "List\u003cString\u003e"
    }
  },
  "Resources": {
    "ApplicationLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties": {
        "SecurityGroups": [
          "ALBSecGroup"
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "ip-target-alb"
          }
        ],
        "Name": "ip-target-alb",
        "Subnets": "MySubnets"
      }
    },
    "ALBSecGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http and ssh",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "127.0.0.1/32",
            "IpProtocol": "tcp"
          },
          {
            "IpProtocol": "tcp",
            "FromPort": 6379,
            "ToPort": 6379,
            "CidrIp": "127.0.0.1/0"
          }
        ],
        "SecurityGroupEgress": [
          {
            "ToPort": 22,
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp",
            "FromPort": 22
          }
        ]
      }
    },
    "HTTPALBListener": {
      "Properties": {
        "DefaultActions": [
          {
            "Type": "forward",
            "TargetGroupArn": "IPTargetGroup"
          }
        ],
        "LoadBalancerArn": "ApplicationLoadBalancer",
        "Port": 80,
        "Protocol": "HTTP"
      },
      "Type": "AWS::ElasticLoadBalancingV2::Listener"
    },
    "IPTargetGroup": {
      "Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
      "Properties": {
        "HealthCheckIntervalSeconds": 10,
        "HealthCheckPath": "/health/check",
        "HealthCheckProtocol": "HTTP",
        "HealthyThresholdCount": 2,
        "VpcId": "my-vpc",
        "TargetType": "ip",
        "Matcher": {
          "HttpCode": "200"
        },
        "UnhealthyThresholdCount": 2,
        "Port": 80,
        "Protocol": "HTTP",
        "HealthCheckTimeoutSeconds": 5
      }
    },
    "TestListenerRule1": {
      "Type": "AWS::ElasticLoadBalancingV2::ListenerRule",
      "Properties": {
        "Priority": 1,
        "ListenerArn": "HTTPALBListener",
        "Conditions": [
          {
            "Values": [
              "test1.checkmarx.com"
            ],
            "Field": "host-header"
          }
        ],
        "Actions": [
          {
            "Type": "forward",
            "TargetGroupArn": "IPTargetGroup",
            "Order": 1,
            "ForwardConfig": {
              "TargetGroups": [
                {
                  "TargetGroupArn": "IPTargetGroup",
                  "Weight": 1
                }
              ],
              "TargetGroupStickinessConfig": {
                "Enabled": false
              }
            }
          }
        ]
      }
    }
  }
}
Postitive test num. 7 - json file
{
  "Resources": {
    "GatewayLoadBalancerListenerCert": {
      "Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate",
      "Properties": {
        "Certificates": [
          {
            "CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...."
          }
        ],
        "ListenerArn": "GatewayLoadBalancerListener"
      }
    },
    "GatewayLoadBalancer": {
      "Properties": {
        "Name": "my-gateway-load-balancer",
        "Scheme": "internet-facing",
        "Type": "gateway",
        "Subnets": "MySubnet"
      },
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer"
    },
    "InstancesSecGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http and ssh",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "127.0.0.1/32"
          },
          {
            "ToPort": 636,
            "CidrIp": "127.0.0.1/0",
            "IpProtocol": "tcp",
            "FromPort": 636
          }
        ],
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22
          }
        ]
      }
    },
    "EC2Instance01": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": "t3.2xlarge",
        "SecurityGroups": [
          "InstancesSecGroup"
        ],
        "KeyName": "my-rsa-key",
        "ImageId": "ami-79fd7eee"
      }
    },
    "EC2Instance02": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": "t3.2xlarge",
        "SecurityGroups": [
          "InstancesSecGroup"
        ],
        "KeyName": "my-rsa-key",
        "ImageId": "ami-79fd7eee"
      }
    },
    "GatewayLoadBalancerTargetGroup": {
      "Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
      "Properties": {
        "TargetGroupAttributes": [
          {
            "Key": "deregistration_delay.timeout_seconds",
            "Value": "60"
          }
        ],
        "Targets": [
          {
            "Id": "EC2Instance01",
            "Port": 443
          },
          {
            "Id": "EC2Instance02",
            "Port": 443
          }
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "t10-networklb-target"
          }
        ],
        "Name": "t10-networklb-target",
        "Port": 443,
        "Protocol": "TCP",
        "VpcId": "t10-vpc-id"
      }
    },
    "GatewayLoadBalancerListener": {
      "Type": "AWS::ElasticLoadBalancingV2::Listener",
      "Properties": {
        "DefaultActions": [
          {
            "Type": "forward",
            "TargetGroupArn": "GatewayLoadBalancerTargetGroup"
          }
        ],
        "LoadBalancerArn": "GatewayLoadBalancer",
        "Port": 443,
        "Protocol": "TCP"
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Parameters": {
    "MySubnet": {
      "Description": "My subnet",
      "Type": "List\u003cString\u003e"
    }
  }
}
Postitive test num. 8 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Parameters": {
    "MySubnet": {
      "Description": "My subnet",
      "Type": "List\u003cString\u003e"
    }
  },
  "Resources": {
    "EC2Instance02": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "KeyName": "my-rsa-key",
        "ImageId": "ami-79fd7eee",
        "InstanceType": "t3.2xlarge",
        "SecurityGroups": [
          "ELBInstanceSecGroup"
        ]
      }
    },
    "NetworkLoadBalancerTargetGroup": {
      "Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
      "Properties": {
        "Targets": [
          {
            "Id": "EC2Instance01",
            "Port": 443
          },
          {
            "Id": "EC2Instance02",
            "Port": 443
          }
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "t10-networklb-target"
          }
        ],
        "Name": "t10-networklb-target",
        "Port": 443,
        "Protocol": "TCP",
        "VpcId": "t10-vpc-id",
        "TargetGroupAttributes": [
          {
            "Key": "deregistration_delay.timeout_seconds",
            "Value": "60"
          }
        ]
      }
    },
    "NetworkLoadBalancerListener": {
      "Type": "AWS::ElasticLoadBalancingV2::Listener",
      "Properties": {
        "Port": 443,
        "Protocol": "TCP",
        "DefaultActions": [
          {
            "Type": "forward",
            "TargetGroupArn": "NetworkLoadBalancerTargetGroup"
          }
        ],
        "LoadBalancerArn": "NetworkLoadBalancer"
      }
    },
    "NetworkLoadBalancerListenerCert": {
      "Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate",
      "Properties": {
        "Certificates": [
          {
            "CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...."
          }
        ],
        "ListenerArn": "NetworkLoadBalancerListener"
      }
    },
    "NetworkLoadBalancer": {
      "Properties": {
        "Tags": [
          {
            "Value": "t10-networklb",
            "Key": "Name"
          }
        ],
        "Name": "t10-networkloadbalancer",
        "Scheme": "internet-facing",
        "Subnets": "MySubnet",
        "Type": "network"
      },
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer"
    },
    "ELBInstanceSecGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http and ssh",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "CidrIp": "127.0.0.1/32",
            "IpProtocol": "tcp",
            "FromPort": 81,
            "ToPort": 80
          },
          {
            "FromPort": 27017,
            "ToPort": 27018,
            "CidrIp": "127.0.0.1/0",
            "IpProtocol": "tcp"
          }
        ],
        "SecurityGroupEgress": [
          {
            "FromPort": 22,
            "ToPort": 22,
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp"
          }
        ]
      }
    },
    "EC2Instance01": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": "t3.2xlarge",
        "SecurityGroups": [
          "ELBInstanceSecGroup"
        ],
        "KeyName": "my-rsa-key",
        "ImageId": "ami-79fd7eee"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyLoadBalancer:
      Type: AWS::ElasticLoadBalancing::LoadBalancer
      Properties:
        AvailabilityZones:
        - "us-east-2a"
        CrossZone: true
        Scheme: internet-facing
        Listeners:
        - InstancePort: '80'
          InstanceProtocol: HTTP
          LoadBalancerPort: '443'
          Protocol: HTTPS
          PolicyNames:
          - My-SSLNegotiation-Policy
          SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
        HealthCheck:
          Target: HTTP:80/
          HealthyThreshold: '2'
          UnhealthyThreshold: '3'
          Interval: '10'
          Timeout: '5'
        SecurityGroups:
          [ !Ref LBNegativeSecGroup01 ]
        Policies:
        - PolicyName: My-SSLNegotiation-Policy
          PolicyType: SSLNegotiationPolicyType
          Attributes:
          - Name: Reference-Security-Policy
            Value: ELBSecurityPolicy-TLS-1-2-2017-01
  LBNegativeSecGroup01:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http and ssh
        VpcId: my-vpc
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 127.0.0.1/32
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 127.0.0.1/32
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  MySubnets:
    Description: "My subnet"
    Type: List<String>
Resources:
  ApplicationLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: ip-target-alb
      Subnets: !Ref MySubnets
      SecurityGroups:
        - !Ref ALBNegativeSecGroup
      Tags:
        - Key: Name
          Value: ip-target-alb
  ALBNegativeSecGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http and ssh
        VpcId: my-vpc
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 127.0.0.1/32
        - IpProtocol: tcp
          FromPort: 77
          ToPort: 77
          CidrIp: 127.0.0.1/0
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
  HTTPALBListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref ApplicationLoadBalancer
      Port: 80
      Protocol: HTTP
      DefaultActions:
          - Type: forward
            TargetGroupArn: !Ref IPTargetGroup
  IPTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
        VpcId: my-vpc
        Port: 80
        Protocol: HTTP
        TargetType: ip
        Matcher:
            HttpCode: '200'
        HealthCheckIntervalSeconds: 10
        HealthCheckPath: /health/check
        HealthCheckProtocol: HTTP
        HealthCheckTimeoutSeconds: 5
        HealthyThresholdCount: 2
        UnhealthyThresholdCount: 2
  TestListenerRule1:
    Type: "AWS::ElasticLoadBalancingV2::ListenerRule"
    Properties:
        Priority: 1
        ListenerArn: !Ref HTTPALBListener
        Conditions:
          - Field: "host-header"
            Values:
              - "test1.checkmarx.com"
        Actions:
          - Type: "forward"
            TargetGroupArn: !Ref IPTargetGroup
            Order: 1
            ForwardConfig:
                TargetGroups:
                  - TargetGroupArn: !Ref IPTargetGroup
                    Weight: 1
                TargetGroupStickinessConfig:
                    Enabled: false
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  MySubnet:
    Description: "My subnet"
    Type: List<String>
Resources:
  NetworkLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: t10-networkloadbalancer
      Scheme: internet-facing
      Subnets: !Ref MySubnet
      Type: network
      Tags:
        - Key: Name
          Value: t10-networklb
  InstancesNegativeSecGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http and ssh
        VpcId: my-vpc
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 127.0.0.1/32
        - IpProtocol: tcp
          FromPort: 77
          ToPort: 77
          CidrIp: 127.0.0.1/0
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
  EC2Instance01:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.2xlarge
      SecurityGroups: [!Ref 'InstancesNegativeSecGroup']
      KeyName: my-rsa-key
      ImageId: ami-79fd7eee
  EC2Instance02:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.2xlarge
      SecurityGroups: [!Ref 'InstancesNegativeSecGroup']
      KeyName: my-rsa-key
      ImageId: ami-79fd7eee
  NetworkLoadBalancerTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: t10-networklb-target
      Port: 443
      Protocol: TCP
      VpcId: t10-vpc-id
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: 60
      Targets:
      - Id: !Ref EC2Instance01
        Port: 443
      - Id: !Ref EC2Instance02
        Port: 443
      Tags:
        - Key: Name
          Value: t10-networklb-target
  NetworkLoadBalancerListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
      - Type: forward
        TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup
      LoadBalancerArn: !Ref NetworkLoadBalancer
      Port: 443
      Protocol: TCP
  NetworkLoadBalancerListenerCert:
    Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
    Properties:
      Certificates:
        - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456....
      ListenerArn: !Ref NetworkLoadBalancerListener

Negative test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties": {
        "HealthCheck": {
          "UnhealthyThreshold": "3",
          "Interval": "10",
          "Timeout": "5",
          "Target": "HTTP:80/",
          "HealthyThreshold": "2"
        },
        "SecurityGroups": [
          "LBNegativeSecGroup01"
        ],
        "Policies": [
          {
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ],
            "PolicyName": "My-SSLNegotiation-Policy"
          }
        ],
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true,
        "Scheme": "internet-facing",
        "Listeners": [
          {
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
            "InstancePort": "80",
            "InstanceProtocol": "HTTP"
          }
        ]
      }
    },
    "LBNegativeSecGroup01": {
      "Properties": {
        "GroupDescription": "Allow http and ssh",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22,
            "CidrIp": "127.0.0.1/32"
          },
          {
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22,
            "CidrIp": "127.0.0.1/32"
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      },
      "Type": "AWS::EC2::SecurityGroup"
    }
  }
}
Negative test num. 5 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Parameters": {
    "MySubnets": {
      "Description": "My subnet",
      "Type": "List\u003cString\u003e"
    }
  },
  "Resources": {
    "IPTargetGroup": {
      "Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
      "Properties": {
        "VpcId": "my-vpc",
        "Protocol": "HTTP",
        "HealthCheckIntervalSeconds": 10,
        "UnhealthyThresholdCount": 2,
        "Port": 80,
        "TargetType": "ip",
        "Matcher": {
          "HttpCode": "200"
        },
        "HealthCheckPath": "/health/check",
        "HealthCheckProtocol": "HTTP",
        "HealthCheckTimeoutSeconds": 5,
        "HealthyThresholdCount": 2
      }
    },
    "TestListenerRule1": {
      "Properties": {
        "Priority": 1,
        "ListenerArn": "HTTPALBListener",
        "Conditions": [
          {
            "Field": "host-header",
            "Values": [
              "test1.checkmarx.com"
            ]
          }
        ],
        "Actions": [
          {
            "TargetGroupArn": "IPTargetGroup",
            "Order": 1,
            "ForwardConfig": {
              "TargetGroups": [
                {
                  "TargetGroupArn": "IPTargetGroup",
                  "Weight": 1
                }
              ],
              "TargetGroupStickinessConfig": {
                "Enabled": false
              }
            },
            "Type": "forward"
          }
        ]
      },
      "Type": "AWS::ElasticLoadBalancingV2::ListenerRule"
    },
    "ApplicationLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties": {
        "Name": "ip-target-alb",
        "Subnets": "MySubnets",
        "SecurityGroups": [
          "ALBNegativeSecGroup"
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "ip-target-alb"
          }
        ]
      }
    },
    "ALBNegativeSecGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http and ssh",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22,
            "CidrIp": "127.0.0.1/32"
          },
          {
            "IpProtocol": "tcp",
            "FromPort": 77,
            "ToPort": 77,
            "CidrIp": "127.0.0.1/0"
          }
        ],
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22
          }
        ]
      }
    },
    "HTTPALBListener": {
      "Type": "AWS::ElasticLoadBalancingV2::Listener",
      "Properties": {
        "LoadBalancerArn": "ApplicationLoadBalancer",
        "Port": 80,
        "Protocol": "HTTP",
        "DefaultActions": [
          {
            "Type": "forward",
            "TargetGroupArn": "IPTargetGroup"
          }
        ]
      }
    }
  }
}
Negative test num. 6 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Parameters": {
    "MySubnet": {
      "Type": "List\u003cString\u003e",
      "Description": "My subnet"
    }
  },
  "Resources": {
    "InstancesNegativeSecGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http and ssh",
        "VpcId": "my-vpc",
        "SecurityGroupIngress": [
          {
            "CidrIp": "127.0.0.1/32",
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22
          },
          {
            "IpProtocol": "tcp",
            "FromPort": 77,
            "ToPort": 77,
            "CidrIp": "127.0.0.1/0"
          }
        ],
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22
          }
        ]
      }
    },
    "EC2Instance01": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": "t3.2xlarge",
        "SecurityGroups": [
          "InstancesNegativeSecGroup"
        ],
        "KeyName": "my-rsa-key",
        "ImageId": "ami-79fd7eee"
      }
    },
    "EC2Instance02": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": "t3.2xlarge",
        "SecurityGroups": [
          "InstancesNegativeSecGroup"
        ],
        "KeyName": "my-rsa-key",
        "ImageId": "ami-79fd7eee"
      }
    },
    "NetworkLoadBalancerTargetGroup": {
      "Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
      "Properties": {
        "Name": "t10-networklb-target",
        "Port": 443,
        "Protocol": "TCP",
        "VpcId": "t10-vpc-id",
        "TargetGroupAttributes": [
          {
            "Value": 60,
            "Key": "deregistration_delay.timeout_seconds"
          }
        ],
        "Targets": [
          {
            "Id": "EC2Instance01",
            "Port": 443
          },
          {
            "Id": "EC2Instance02",
            "Port": 443
          }
        ],
        "Tags": [
          {
            "Key": "Name",
            "Value": "t10-networklb-target"
          }
        ]
      }
    },
    "NetworkLoadBalancerListener": {
      "Type": "AWS::ElasticLoadBalancingV2::Listener",
      "Properties": {
        "DefaultActions": [
          {
            "Type": "forward",
            "TargetGroupArn": "NetworkLoadBalancerTargetGroup"
          }
        ],
        "LoadBalancerArn": "NetworkLoadBalancer",
        "Port": 443,
        "Protocol": "TCP"
      }
    },
    "NetworkLoadBalancerListenerCert": {
      "Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate",
      "Properties": {
        "Certificates": [
          {
            "CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...."
          }
        ],
        "ListenerArn": "NetworkLoadBalancerListener"
      }
    },
    "NetworkLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties": {
        "Name": "t10-networkloadbalancer",
        "Scheme": "internet-facing",
        "Subnets": "MySubnet",
        "Type": "network",
        "Tags": [
          {
            "Key": "Name",
            "Value": "t10-networklb"
          }
        ]
      }
    }
  }
}