ELB listener security groups should not be set to TCP all


ELB security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.

Remediation Steps

AWS Console

  • Navigate to EC2.

  • In the left navigation, select Load Balancers.

  • Select the desired load balancer.

  • In the Description tab under Security, take note of the security groups associated with the load balancer.

  • In the left navigation, select Security Groups.

  • Search and select the security groups from the previous step.

  • Click the Inbound tab. Click Edit and remove any references to TCP all.

  • Click Save.

  • Click the Outbound tab. Click Edit and remove any references to TCP all.

  • Click Save.


  • List all load balancers and their attributes:

    • aws elb describe-load-balancers

    • Make note of each Security Group ID associated with each ELB.

  • Get security group details:

    • aws ec2 describe-security-groups --group-ids <group id>

    • In the output, if FromPort is 0 and ToPort is 65535, this means the rule Type is ALL TCP. If this is the case, run the following command to remove those rules.

  • Remove the rule that opens all tcp ports:

    • aws ec2 revoke-security-group-ingress --protocol tcp --port 0-65535 --cidr <cidr block> --group-id <group id>

    • aws ec2 revoke-security-group-egress --protocol tcp --port 0-65535 --cidr <cidr block> --group-id <group id>


  • Ensure that the aws_security_group associated with a load balancer does not have an ingress block with from_port set to “0” and to_port set to 65535.

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    from_port = 443
    to_port = 443
  # other required fields here

resource "aws_lb" "test" {
  security_groups = [aws_security_group.example.id]
  # other required fields here