Checks whether an access control whitelist of a listener of an Application Load Balancer (ALB) instance includes specified IP addresses or CIDR blocks. If so, the evaluation result is Compliant.

Scenarios

This rule applies when you need to add IP addresses or CIDR blocks to an access control whitelist of a listener of an ALB instance. This helps reduce network exposure and ensures the network security of cloud environments.

Risk level

Default risk level: high.

When you configure this rule, you can change the risk level based on your business requirements.

Compliance evaluation logic

  • If an access control whitelist of a listener of an ALB instance includes specified IP addresses or CIDR blocks, the evaluation result is Compliant.
  • If all access control whitelists of the listeners of each ALB instance exclude specified IP addresses or CIDR blocks, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.

Rule details

Item Description
Rule name alb-acl-has-specified-ip
Rule identifier alb-acl-has-specified-ip
Tag ALB and LoadBalancer
Automatic remediation Not supported
Trigger type Periodic execution
Evaluation frequency Interval of 24 hours
Supported resource type ALB instances
Input parameter IpAddress

Incompliance remediation

Modify an access control whitelist of a listener of an ALB instance. Make sure that the IP addresses or CIDR blocks in the access control whitelist are the same as the IP addresses or CIDR blocks that are specified in Cloud Config. For more information, see Access control.