Load Balancer has deletion protection disabled
ID |
lb_deletion_disabled |
Severity |
high |
Vendor |
AWS |
Resource |
Networking |
Tags |
reachable |
Description
Enabling delete protection for AWS Load Balancers prevents irreversible data loss resulting from accidental or malicious operations.
The detector reports load balancers with the delete protection disabled (which is the default when not explicitly set).
For more details aboud delete protection, see Deletion protection in AWS Load Balancers.
Examples
CloudFormation
{
"Resources": {
"ApplicationLoadBalancer": { (1)
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer"
}
}
}| 1 | Missing deletion_protection.enabled attribute disables deletion protection. |
Resources:
ApplicationLoadBalancer: (1)
Type: AWS::ElasticLoadBalancingV2::LoadBalancer| 1 | Missing deletion_protection.enabled attribute disables deletion protection. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"ApplicationLoadBalancer": { (1)
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"LoadBalancerAttributes": [
{
"Key": "idle_timeout.timeout_seconds",
"Value": "180"
},
{
"Key": "routing.http2.enabled",
"Value": true
},
{
"Key": "deletion_protection.enabled", (1)
"Value": true
}
]
}
}
}
}| 1 | deletion_protection.enabled attribute set to true enables deletion protection. |
Resources:
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
LoadBalancerAttributes:
- Key: deletion_protection.enabled (1)
Value: true| 1 | deletion_protection.enabled attribute set to true enables deletion protection. |