LoFP LoFP / repurposing of an elb or alb to serve a different or additional application

Techniques

Sample rules

LoadBalancer Security Group Modification

Description

Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.

Detection logic

condition: selection
selection:
  eventName:
  - ApplySecurityGroupsToLoadBalancer
  - SetSecurityGroups
  eventSource: elasticloadbalancing.amazonaws.com