Checks whether the access control whitelists of the listeners of each Application Load Balancer (ALB) instance exclude specified IP addresses or CIDR blocks. If so, the evaluation result is Compliant.
Scenarios
This rule applies when you need to add specific IP addresses or CIDR blocks to the access control whitelist of a listener of an ALB instance. This helps reduce network exposure and ensures the network security of cloud environments.
Risk level
Default risk level: high.
When you configure this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the access control whitelists of the listeners of each ALB instance exclude specified IP addresses or CIDR blocks, the evaluation result is Compliant.
- If an access control whitelist of a listener of an ALB instance includes a specified IP address or CIDR block, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | alb-acl-no-has-specified-ip |
| Rule identifier | alb-acl-no-has-specified-ip |
| Tag | ALB and LoadBalancer |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | ALB instances |
| Input parameter | IpAddress |
Incompliance remediation
Modify the access control whitelists of all listeners of an ALB instance. Make sure that the IP addresses or CIDR blocks in the access control whitelists are different from the IP addresses or CIDR blocks that are specified in Cloud Config. For more information, see Access control.