ELBv1 load balancer cross zone load balancing should be enabled


Having Availability Zone with the Cross-Zone Load Balancing feature enabled for the VPC reduces the risk of failure at a single location as the AWS Elastic Load Balancers distribute the traffic to the other locations.

Console Remediation Steps

  • Navigate to VPC.

  • In the left navigation, select Security Groups.

  • For each security group, perform the steps described below.

    • Select the Security Group, click the Inbound Rules tab, and and click Edit rules.

    • Remove any rules that includes ingress from ‘’ to TCP port 80 (HTTP), unless from ELBs.

    • Click Save.

CLI Remediation Steps

  • Remove the inbound rule(s) that permits unrestricted ingress to TCP port 80 from the selected Security Group:

    • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 80 --cidr

  • Optionally add a more restrictive ingress rule to the selected Security Group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 80 --cidr <cidr_block>