ELBv2 ALB Security Group Check in Cloud Conformity


We use Cloud Conformity as a compliance check tool against our AWS environments. Recently, there is a new check failed – ELBv2 ALB Security Group, and the given reason is Load Balancer [alb-d-LoadB-XXXXXXXX] is not associated with valid and secure security groups.

I have confirmed that the ALB is associated with a valid and security group, as it exactly matches AWS Recommended rules.

By reading Cloud Conformity ELBv2 ALB Security Group KB, I am 100% sure this is a BUG in this rule. According to what is written as below, they think the ELB security group outbound port should the same as the inbound port. Really? I don’t think so. As a typical scenario, the http SSL traffics terminate at ALB (e.g listener is 443), and the traffics between ALB and EC2 are http (e.g EC2 listener is 80).

I have raised a bug report with them. Any updates will be posted here.

Update – 30/07/2020

Cloud Confirmity has confirmed this BUG, and will fix it.

Reply from Cloud Conformity

Thank you for investigating rule ELBv2-006 thoroughly. We have discussed your input, and agree there are changes required to correct the implementation around the outbound logic.

Thank you for your patience, and our apologies for any inconvenience. We recommend that you disable this rule in the mean-time until we introduce the proposed changes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s