All Products
Search
Document Center

Cloud Config:alb-acl-no-has-specified-ip

Last Updated:Jun 22, 2026

Evaluates whether the access control whitelists of all listeners on each Application Load Balancer (ALB) instance exclude specified IP addresses or CIDR blocks. If the whitelists exclude the specified addresses, the evaluation result is Compliant.

Scenarios

Use this rule when you need to add specific IP addresses or CIDR blocks to the access control whitelist of an ALB listener. This reduces network exposure and helps secure your cloud environment.

Risk level

Default risk level: high.

You can change the risk level when you configure this rule.

Compliance evaluation logic

  • If the access control whitelists of the listeners of each ALB instance exclude specified IP addresses or CIDR blocks, the evaluation result is Compliant.
  • If an access control whitelist of any ALB listener includes a specified IP address or CIDR block, the evaluation result is Incompliant. For remediation steps, see Incompliance remediation.

Rule details

Item Description
Rule name alb-acl-no-has-specified-ip
Rule identifier alb-acl-no-has-specified-ip
Tag ALB and LoadBalancer
Automatic remediation Not supported
Trigger type Periodic execution
Evaluation frequency Interval of 24 hours
Supported resource type ALB instances
Input parameter IpAddress

Incompliance remediation

Modify the access control whitelists of all listeners on the ALB instance to ensure that the IP addresses or CIDR blocks in the whitelists are different from those specified in Cloud Config. For more information, see Access control.