ELB Sensitive Port Is Exposed To Entire Network
- Query id: 78055456-f670-4d2e-94d5-392d1cf4f5e4
- Query name: ELB Sensitive Port Is Exposed To Entire Network
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
The load balancer of the application with a sensitive port connection is exposed to the entire internet.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-2a"
CrossZone: true
Scheme: internet-facing
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '443'
Protocol: HTTPS
PolicyNames:
- My-SSLNegotiation-Policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '2'
UnhealthyThreshold: '3'
Interval: '10'
Timeout: '5'
SecurityGroups:
- !Ref LBSecGroup
Policies:
- PolicyName: My-SSLNegotiation-Policy
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Reference-Security-Policy
Value: ELBSecurityPolicy-TLS-1-2-2017-01
LBSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and ssh
VpcId: my-vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 50
ToPort: 80
CidrIp: 127.0.0.1/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 127.0.0.1/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
MySubnets:
Description: "My subnet"
Type: List<String>
Resources:
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: ip-target-alb
Subnets: !Ref MySubnets
SecurityGroups:
- !Ref ALBSecGroup
Tags:
- Key: Name
Value: ip-target-alb
ALBSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and ssh
VpcId: my-vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 127.0.0.1/32
- IpProtocol: tcp
FromPort: 6379
ToPort: 6379
CidrIp: 127.0.0.1/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
HTTPALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 80
Protocol: HTTP
DefaultActions:
- Type: forward
TargetGroupArn: !Ref IPTargetGroup
IPTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
VpcId: my-vpc
Port: 80
Protocol: HTTP
TargetType: ip
Matcher:
HttpCode: '200'
HealthCheckIntervalSeconds: 10
HealthCheckPath: /health/check
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 5
HealthyThresholdCount: 2
UnhealthyThresholdCount: 2
TestListenerRule1:
Type: "AWS::ElasticLoadBalancingV2::ListenerRule"
Properties:
Priority: 1
ListenerArn: !Ref HTTPALBListener
Conditions:
- Field: "host-header"
Values:
- "test1.checkmarx.com"
Actions:
- Type: "forward"
TargetGroupArn: !Ref IPTargetGroup
Order: 1
ForwardConfig:
TargetGroups:
- TargetGroupArn: !Ref IPTargetGroup
Weight: 1
TargetGroupStickinessConfig:
Enabled: false
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
MySubnet:
Description: "My subnet"
Type: List<String>
Resources:
GatewayLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: my-gateway-load-balancer
Scheme: internet-facing
Type: gateway
Subnets: !Ref MySubnet
InstancesSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and ssh
VpcId: my-vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 127.0.0.1/32
- IpProtocol: tcp
FromPort: 636
ToPort: 636
CidrIp: 127.0.0.1/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
EC2Instance01:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.2xlarge
SecurityGroups:
- !Ref 'InstancesSecGroup'
KeyName: my-rsa-key
ImageId: ami-79fd7eee
EC2Instance02:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.2xlarge
SecurityGroups:
- !Ref 'InstancesSecGroup'
KeyName: my-rsa-key
ImageId: ami-79fd7eee
GatewayLoadBalancerTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: t10-networklb-target
Port: 443
Protocol: TCP
VpcId: t10-vpc-id
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: '60'
Targets:
- Id: !Ref EC2Instance01
Port: 443
- Id: !Ref EC2Instance02
Port: 443
Tags:
- Key: Name
Value: t10-networklb-target
GatewayLoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref GatewayLoadBalancerTargetGroup
LoadBalancerArn: !Ref GatewayLoadBalancer
Port: 443
Protocol: TCP
GatewayLoadBalancerListenerCert:
Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
Properties:
Certificates:
- CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456....
ListenerArn: !Ref GatewayLoadBalancerListener
Positive test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
MySubnet:
Description: "My subnet"
Type: List<String>
Resources:
NetworkLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: t10-networkloadbalancer
Scheme: internet-facing
Subnets: !Ref MySubnet
Type: network
Tags:
- Key: Name
Value: t10-networklb
ELBInstanceSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and ssh
VpcId: my-vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 81
ToPort: 80
CidrIp: 127.0.0.1/32
- IpProtocol: tcp
FromPort: 27017
ToPort: 27018
CidrIp: 127.0.0.1/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
EC2Instance01:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.2xlarge
SecurityGroups:
- !Ref 'ELBInstanceSecGroup'
KeyName: my-rsa-key
ImageId: ami-79fd7eee
EC2Instance02:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.2xlarge
SecurityGroups:
- !Ref 'ELBInstanceSecGroup'
KeyName: my-rsa-key
ImageId: ami-79fd7eee
NetworkLoadBalancerTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: t10-networklb-target
Port: 443
Protocol: TCP
VpcId: t10-vpc-id
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: '60'
Targets:
- Id: !Ref EC2Instance01
Port: 443
- Id: !Ref EC2Instance02
Port: 443
Tags:
- Key: Name
Value: t10-networklb-target
NetworkLoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup
LoadBalancerArn: !Ref NetworkLoadBalancer
Port: 443
Protocol: TCP
NetworkLoadBalancerListenerCert:
Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
Properties:
Certificates:
- CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456....
ListenerArn: !Ref NetworkLoadBalancerListener
Positive test num. 5 - json file
{
"Resources": {
"MyLoadBalancer": {
"Properties": {
"Scheme": "internet-facing",
"Listeners": [
{
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
"InstancePort": "80",
"InstanceProtocol": "HTTP",
"LoadBalancerPort": "443",
"Protocol": "HTTPS",
"PolicyNames": [
"My-SSLNegotiation-Policy"
]
}
],
"HealthCheck": {
"HealthyThreshold": "2",
"UnhealthyThreshold": "3",
"Interval": "10",
"Timeout": "5",
"Target": "HTTP:80/"
},
"SecurityGroups": [
"LBSecGroup"
],
"Policies": [
{
"Attributes": [
{
"Name": "Reference-Security-Policy",
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
}
],
"PolicyName": "My-SSLNegotiation-Policy",
"PolicyType": "SSLNegotiationPolicyType"
}
],
"AvailabilityZones": [
"us-east-2a"
],
"CrossZone": true
},
"Type": "AWS::ElasticLoadBalancing::LoadBalancer"
},
"LBSecGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http and ssh",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 50,
"ToPort": 80,
"CidrIp": "127.0.0.1/0"
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "127.0.0.1/0"
}
],
"SecurityGroupEgress": [
{
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z"
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Parameters": {
"MySubnets": {
"Description": "My subnet",
"Type": "List\u003cString\u003e"
}
},
"Resources": {
"ApplicationLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SecurityGroups": [
"ALBSecGroup"
],
"Tags": [
{
"Key": "Name",
"Value": "ip-target-alb"
}
],
"Name": "ip-target-alb",
"Subnets": "MySubnets"
}
},
"ALBSecGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http and ssh",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"FromPort": 80,
"ToPort": 80,
"CidrIp": "127.0.0.1/32",
"IpProtocol": "tcp"
},
{
"IpProtocol": "tcp",
"FromPort": 6379,
"ToPort": 6379,
"CidrIp": "127.0.0.1/0"
}
],
"SecurityGroupEgress": [
{
"ToPort": 22,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"FromPort": 22
}
]
}
},
"HTTPALBListener": {
"Properties": {
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": "IPTargetGroup"
}
],
"LoadBalancerArn": "ApplicationLoadBalancer",
"Port": 80,
"Protocol": "HTTP"
},
"Type": "AWS::ElasticLoadBalancingV2::Listener"
},
"IPTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"HealthCheckIntervalSeconds": 10,
"HealthCheckPath": "/health/check",
"HealthCheckProtocol": "HTTP",
"HealthyThresholdCount": 2,
"VpcId": "my-vpc",
"TargetType": "ip",
"Matcher": {
"HttpCode": "200"
},
"UnhealthyThresholdCount": 2,
"Port": 80,
"Protocol": "HTTP",
"HealthCheckTimeoutSeconds": 5
}
},
"TestListenerRule1": {
"Type": "AWS::ElasticLoadBalancingV2::ListenerRule",
"Properties": {
"Priority": 1,
"ListenerArn": "HTTPALBListener",
"Conditions": [
{
"Values": [
"test1.checkmarx.com"
],
"Field": "host-header"
}
],
"Actions": [
{
"Type": "forward",
"TargetGroupArn": "IPTargetGroup",
"Order": 1,
"ForwardConfig": {
"TargetGroups": [
{
"TargetGroupArn": "IPTargetGroup",
"Weight": 1
}
],
"TargetGroupStickinessConfig": {
"Enabled": false
}
}
}
]
}
}
}
}
Positive test num. 7 - json file
{
"Resources": {
"GatewayLoadBalancerListenerCert": {
"Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate",
"Properties": {
"Certificates": [
{
"CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...."
}
],
"ListenerArn": "GatewayLoadBalancerListener"
}
},
"GatewayLoadBalancer": {
"Properties": {
"Name": "my-gateway-load-balancer",
"Scheme": "internet-facing",
"Type": "gateway",
"Subnets": "MySubnet"
},
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer"
},
"InstancesSecGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http and ssh",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "127.0.0.1/32"
},
{
"ToPort": 636,
"CidrIp": "127.0.0.1/0",
"IpProtocol": "tcp",
"FromPort": 636
}
],
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22
}
]
}
},
"EC2Instance01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": "t3.2xlarge",
"SecurityGroups": [
"InstancesSecGroup"
],
"KeyName": "my-rsa-key",
"ImageId": "ami-79fd7eee"
}
},
"EC2Instance02": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": "t3.2xlarge",
"SecurityGroups": [
"InstancesSecGroup"
],
"KeyName": "my-rsa-key",
"ImageId": "ami-79fd7eee"
}
},
"GatewayLoadBalancerTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"TargetGroupAttributes": [
{
"Key": "deregistration_delay.timeout_seconds",
"Value": "60"
}
],
"Targets": [
{
"Id": "EC2Instance01",
"Port": 443
},
{
"Id": "EC2Instance02",
"Port": 443
}
],
"Tags": [
{
"Key": "Name",
"Value": "t10-networklb-target"
}
],
"Name": "t10-networklb-target",
"Port": 443,
"Protocol": "TCP",
"VpcId": "t10-vpc-id"
}
},
"GatewayLoadBalancerListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": "GatewayLoadBalancerTargetGroup"
}
],
"LoadBalancerArn": "GatewayLoadBalancer",
"Port": 443,
"Protocol": "TCP"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Parameters": {
"MySubnet": {
"Description": "My subnet",
"Type": "List\u003cString\u003e"
}
}
}
Positive test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Parameters": {
"MySubnet": {
"Description": "My subnet",
"Type": "List\u003cString\u003e"
}
},
"Resources": {
"EC2Instance02": {
"Type": "AWS::EC2::Instance",
"Properties": {
"KeyName": "my-rsa-key",
"ImageId": "ami-79fd7eee",
"InstanceType": "t3.2xlarge",
"SecurityGroups": [
"ELBInstanceSecGroup"
]
}
},
"NetworkLoadBalancerTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"Targets": [
{
"Id": "EC2Instance01",
"Port": 443
},
{
"Id": "EC2Instance02",
"Port": 443
}
],
"Tags": [
{
"Key": "Name",
"Value": "t10-networklb-target"
}
],
"Name": "t10-networklb-target",
"Port": 443,
"Protocol": "TCP",
"VpcId": "t10-vpc-id",
"TargetGroupAttributes": [
{
"Key": "deregistration_delay.timeout_seconds",
"Value": "60"
}
]
}
},
"NetworkLoadBalancerListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"Port": 443,
"Protocol": "TCP",
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": "NetworkLoadBalancerTargetGroup"
}
],
"LoadBalancerArn": "NetworkLoadBalancer"
}
},
"NetworkLoadBalancerListenerCert": {
"Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate",
"Properties": {
"Certificates": [
{
"CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...."
}
],
"ListenerArn": "NetworkLoadBalancerListener"
}
},
"NetworkLoadBalancer": {
"Properties": {
"Tags": [
{
"Value": "t10-networklb",
"Key": "Name"
}
],
"Name": "t10-networkloadbalancer",
"Scheme": "internet-facing",
"Subnets": "MySubnet",
"Type": "network"
},
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer"
},
"ELBInstanceSecGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http and ssh",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"CidrIp": "127.0.0.1/32",
"IpProtocol": "tcp",
"FromPort": 81,
"ToPort": 80
},
{
"FromPort": 27017,
"ToPort": 27018,
"CidrIp": "127.0.0.1/0",
"IpProtocol": "tcp"
}
],
"SecurityGroupEgress": [
{
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
]
}
},
"EC2Instance01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": "t3.2xlarge",
"SecurityGroups": [
"ELBInstanceSecGroup"
],
"KeyName": "my-rsa-key",
"ImageId": "ami-79fd7eee"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-2a"
CrossZone: true
Scheme: internet-facing
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '443'
Protocol: HTTPS
PolicyNames:
- My-SSLNegotiation-Policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '2'
UnhealthyThreshold: '3'
Interval: '10'
Timeout: '5'
SecurityGroups:
[ !Ref LBNegativeSecGroup01 ]
Policies:
- PolicyName: My-SSLNegotiation-Policy
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Reference-Security-Policy
Value: ELBSecurityPolicy-TLS-1-2-2017-01
LBNegativeSecGroup01:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and ssh
VpcId: my-vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 127.0.0.1/32
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 127.0.0.1/32
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
MySubnets:
Description: "My subnet"
Type: List<String>
Resources:
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: ip-target-alb
Subnets: !Ref MySubnets
SecurityGroups:
- !Ref ALBNegativeSecGroup
Tags:
- Key: Name
Value: ip-target-alb
ALBNegativeSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and ssh
VpcId: my-vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 127.0.0.1/32
- IpProtocol: tcp
FromPort: 77
ToPort: 77
CidrIp: 127.0.0.1/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
HTTPALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 80
Protocol: HTTP
DefaultActions:
- Type: forward
TargetGroupArn: !Ref IPTargetGroup
IPTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
VpcId: my-vpc
Port: 80
Protocol: HTTP
TargetType: ip
Matcher:
HttpCode: '200'
HealthCheckIntervalSeconds: 10
HealthCheckPath: /health/check
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 5
HealthyThresholdCount: 2
UnhealthyThresholdCount: 2
TestListenerRule1:
Type: "AWS::ElasticLoadBalancingV2::ListenerRule"
Properties:
Priority: 1
ListenerArn: !Ref HTTPALBListener
Conditions:
- Field: "host-header"
Values:
- "test1.checkmarx.com"
Actions:
- Type: "forward"
TargetGroupArn: !Ref IPTargetGroup
Order: 1
ForwardConfig:
TargetGroups:
- TargetGroupArn: !Ref IPTargetGroup
Weight: 1
TargetGroupStickinessConfig:
Enabled: false
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Parameters:
MySubnet:
Description: "My subnet"
Type: List<String>
Resources:
NetworkLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: t10-networkloadbalancer
Scheme: internet-facing
Subnets: !Ref MySubnet
Type: network
Tags:
- Key: Name
Value: t10-networklb
InstancesNegativeSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and ssh
VpcId: my-vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 127.0.0.1/32
- IpProtocol: tcp
FromPort: 77
ToPort: 77
CidrIp: 127.0.0.1/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
EC2Instance01:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.2xlarge
SecurityGroups: [!Ref 'InstancesNegativeSecGroup']
KeyName: my-rsa-key
ImageId: ami-79fd7eee
EC2Instance02:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.2xlarge
SecurityGroups: [!Ref 'InstancesNegativeSecGroup']
KeyName: my-rsa-key
ImageId: ami-79fd7eee
NetworkLoadBalancerTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: t10-networklb-target
Port: 443
Protocol: TCP
VpcId: t10-vpc-id
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: 60
Targets:
- Id: !Ref EC2Instance01
Port: 443
- Id: !Ref EC2Instance02
Port: 443
Tags:
- Key: Name
Value: t10-networklb-target
NetworkLoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup
LoadBalancerArn: !Ref NetworkLoadBalancer
Port: 443
Protocol: TCP
NetworkLoadBalancerListenerCert:
Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
Properties:
Certificates:
- CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456....
ListenerArn: !Ref NetworkLoadBalancerListener
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"HealthCheck": {
"UnhealthyThreshold": "3",
"Interval": "10",
"Timeout": "5",
"Target": "HTTP:80/",
"HealthyThreshold": "2"
},
"SecurityGroups": [
"LBNegativeSecGroup01"
],
"Policies": [
{
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [
{
"Name": "Reference-Security-Policy",
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
}
],
"PolicyName": "My-SSLNegotiation-Policy"
}
],
"AvailabilityZones": [
"us-east-2a"
],
"CrossZone": true,
"Scheme": "internet-facing",
"Listeners": [
{
"LoadBalancerPort": "443",
"Protocol": "HTTPS",
"PolicyNames": [
"My-SSLNegotiation-Policy"
],
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
"InstancePort": "80",
"InstanceProtocol": "HTTP"
}
]
}
},
"LBNegativeSecGroup01": {
"Properties": {
"GroupDescription": "Allow http and ssh",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "127.0.0.1/32"
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "127.0.0.1/32"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
]
},
"Type": "AWS::EC2::SecurityGroup"
}
}
}
Negative test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Parameters": {
"MySubnets": {
"Description": "My subnet",
"Type": "List\u003cString\u003e"
}
},
"Resources": {
"IPTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"VpcId": "my-vpc",
"Protocol": "HTTP",
"HealthCheckIntervalSeconds": 10,
"UnhealthyThresholdCount": 2,
"Port": 80,
"TargetType": "ip",
"Matcher": {
"HttpCode": "200"
},
"HealthCheckPath": "/health/check",
"HealthCheckProtocol": "HTTP",
"HealthCheckTimeoutSeconds": 5,
"HealthyThresholdCount": 2
}
},
"TestListenerRule1": {
"Properties": {
"Priority": 1,
"ListenerArn": "HTTPALBListener",
"Conditions": [
{
"Field": "host-header",
"Values": [
"test1.checkmarx.com"
]
}
],
"Actions": [
{
"TargetGroupArn": "IPTargetGroup",
"Order": 1,
"ForwardConfig": {
"TargetGroups": [
{
"TargetGroupArn": "IPTargetGroup",
"Weight": 1
}
],
"TargetGroupStickinessConfig": {
"Enabled": false
}
},
"Type": "forward"
}
]
},
"Type": "AWS::ElasticLoadBalancingV2::ListenerRule"
},
"ApplicationLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "ip-target-alb",
"Subnets": "MySubnets",
"SecurityGroups": [
"ALBNegativeSecGroup"
],
"Tags": [
{
"Key": "Name",
"Value": "ip-target-alb"
}
]
}
},
"ALBNegativeSecGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http and ssh",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "127.0.0.1/32"
},
{
"IpProtocol": "tcp",
"FromPort": 77,
"ToPort": 77,
"CidrIp": "127.0.0.1/0"
}
],
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22
}
]
}
},
"HTTPALBListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"LoadBalancerArn": "ApplicationLoadBalancer",
"Port": 80,
"Protocol": "HTTP",
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": "IPTargetGroup"
}
]
}
}
}
}
Negative test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Parameters": {
"MySubnet": {
"Type": "List\u003cString\u003e",
"Description": "My subnet"
}
},
"Resources": {
"InstancesNegativeSecGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http and ssh",
"VpcId": "my-vpc",
"SecurityGroupIngress": [
{
"CidrIp": "127.0.0.1/32",
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22
},
{
"IpProtocol": "tcp",
"FromPort": 77,
"ToPort": 77,
"CidrIp": "127.0.0.1/0"
}
],
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22
}
]
}
},
"EC2Instance01": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": "t3.2xlarge",
"SecurityGroups": [
"InstancesNegativeSecGroup"
],
"KeyName": "my-rsa-key",
"ImageId": "ami-79fd7eee"
}
},
"EC2Instance02": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": "t3.2xlarge",
"SecurityGroups": [
"InstancesNegativeSecGroup"
],
"KeyName": "my-rsa-key",
"ImageId": "ami-79fd7eee"
}
},
"NetworkLoadBalancerTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"Name": "t10-networklb-target",
"Port": 443,
"Protocol": "TCP",
"VpcId": "t10-vpc-id",
"TargetGroupAttributes": [
{
"Value": 60,
"Key": "deregistration_delay.timeout_seconds"
}
],
"Targets": [
{
"Id": "EC2Instance01",
"Port": 443
},
{
"Id": "EC2Instance02",
"Port": 443
}
],
"Tags": [
{
"Key": "Name",
"Value": "t10-networklb-target"
}
]
}
},
"NetworkLoadBalancerListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": "NetworkLoadBalancerTargetGroup"
}
],
"LoadBalancerArn": "NetworkLoadBalancer",
"Port": 443,
"Protocol": "TCP"
}
},
"NetworkLoadBalancerListenerCert": {
"Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate",
"Properties": {
"Certificates": [
{
"CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...."
}
],
"ListenerArn": "NetworkLoadBalancerListener"
}
},
"NetworkLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "t10-networkloadbalancer",
"Scheme": "internet-facing",
"Subnets": "MySubnet",
"Type": "network",
"Tags": [
{
"Key": "Name",
"Value": "t10-networklb"
}
]
}
}
}
}