ALB Deletion Protection Disabled
- Query id: afecd1f1-6378-4f7e-bb3b-60c35801fdd4
- Query name: ALB Deletion Protection Disabled
- Platform: Terraform
- Severity: Medium
- Category: Insecure Configurations
- URL: Github
Description¶
Application Load Balancer should have deletion protection enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_alb" "positive1" {
name = "test-lb-tf"
internal = false
load_balancer_type = "network"
subnets = aws_subnet.public.*.id
enable_deletion_protection = false
tags = {
Environment = "production"
}
}
Positive test num. 2 - tf file
resource "aws_alb" "positive2" {
name = "test-lb-tf"
internal = false
load_balancer_type = "network"
subnets = aws_subnet.public.*.id
tags = {
Environment = "production"
}
}
Positive test num. 3 - tf file
resource "aws_lb" "positive3" {
name = "test-lb-tf"
internal = false
load_balancer_type = "network"
subnets = aws_subnet.public.*.id
enable_deletion_protection = false
tags = {
Environment = "production"
}
}
Positive test num. 4 - tf file
Positive test num. 5 - tf file
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = "~> 6.0"
name = "my-alb"
load_balancer_type = "application"
enable_deletion_protection = false
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name_prefix = "pref-"
backend_protocol = "HTTP"
backend_port = 80
target_type = "instance"
targets = [
{
target_id = "i-0123456789abcdefg"
port = 80
},
{
target_id = "i-a1b2c3d4e5f6g7h8i"
port = 8080
}
]
}
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
target_group_index = 0
}
]
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
target_group_index = 0
}
]
tags = {
Environment = "Test"
}
}
Positive test num. 6 - tf file
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = "~> 6.0"
name = "my-alb"
load_balancer_type = "application"
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name_prefix = "pref-"
backend_protocol = "HTTP"
backend_port = 80
target_type = "instance"
targets = [
{
target_id = "i-0123456789abcdefg"
port = 80
},
{
target_id = "i-a1b2c3d4e5f6g7h8i"
port = 8080
}
]
}
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
target_group_index = 0
}
]
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
target_group_index = 0
}
]
tags = {
Environment = "Test"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_alb" "negative1" {
name = "test-lb-tf"
internal = false
load_balancer_type = "network"
subnets = aws_subnet.public.*.id
enable_deletion_protection = true
tags = {
Environment = "production"
}
}
Negative test num. 2 - tf file
resource "aws_lb" "negative2" {
name = "test-lb-tf"
internal = false
load_balancer_type = "network"
subnets = aws_subnet.public.*.id
enable_deletion_protection = true
tags = {
Environment = "production"
}
}
Negative test num. 3 - tf file
module "alb" {
source = "terraform-aws-modules/alb/aws"
version = "~> 6.0"
name = "my-alb"
load_balancer_type = "application"
enable_deletion_protection = true
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name_prefix = "pref-"
backend_protocol = "HTTP"
backend_port = 80
target_type = "instance"
targets = [
{
target_id = "i-0123456789abcdefg"
port = 80
},
{
target_id = "i-a1b2c3d4e5f6g7h8i"
port = 8080
}
]
}
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
target_group_index = 0
}
]
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
target_group_index = 0
}
]
tags = {
Environment = "Test"
}
}