AWS Load Balancer missing deletion protection

firetail:aws-alb-deletion-protection-disabled

Type:

CSPM

Rule Severity:

Info

The Application, Gateway, or Network Load Balancer currently has deletion protection disabled.

Deletion protection is a critical safeguard that prevents accidental or unauthorized deletion of the load balancer, which could disrupt traffic routing and result in downtime for connected services. Without deletion protection enabled, a load balancer can be inadvertently removed, leading to service outages, potential data loss, or disrupted communication between users and backend services.

Remediation

Enable deletion protection on the Application, Gateway, or Network Load Balancer to prevent accidental or malicious deletion. This can typically be done via the load balancer settings in your cloud provider's management console or using the corresponding API/CLI commands.

Example Attack Scenario

An administrator mistakenly deletes a load balancer during routine maintenance without realizing its importance. This results in:

  • Immediate disruption of all traffic routing through the load balancer.
  • Downtime for services relying on the load balancer to connect users with backend resources.
  • Loss of user sessions and potential revenue impact for critical services.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
AWS Load Balancer missing deletion protection
AppSync GraphQL API resolver count limit high
Plaintext digest authentication
Missing global security
Plaintext alternative authentication
POST based url-encoded query (possible CSRF)