Skip to main content

πŸ›‘οΈ AWS ELB Load Balancer Deletion Protection is disabled🟒

  • Contextual name: πŸ›‘οΈ Load Balancer Deletion Protection is disabled🟒
  • ID: /ce/ca/aws/elb/load-balancer-deletion-protection
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies Application, Network, and Gateway Load Balancers that do not have deletion protection enabled.

Deletion Protection should be enabled for all ELBv2 load balancers to help prevent accidental deletion and unintended service disruption.

Rationale​

Load balancers often serve as the primary entry point for application traffic. Accidental deletion can result in immediate and complete service outages for dependent applications. Even in environments managed through automation or Infrastructure as Code (IaC), manual actions performed through the AWS Management Console or AWS CLI can introduce human error.

Enabling Deletion Protection adds an explicit safeguard by requiring an additional verification step before a load balancer can be deleted, helping ensure that critical infrastructure is not decommissioned unintentionally.

Audit​

This policy flags an AWS ELB load Balancer as INCOMPLIANT if the Additional Attributes include deletion_protection.enabled: false.

Classic Load Balancers are marked as INAPPLICABLE.

Remediation​

Open File

Remediation​

Enable Deletion Protection for an Elastic Load Balancer​

Deletion Protection helps prevent accidental removal of critical load balancing resources and reduces the risk of unintended service outages.

From Command Line​

Run the following command to update the load balancer attributes and enable Deletion Protection:

aws elbv2 modify-load-balancer-attributes \
    --load-balancer-arn {{load-balancer-arn}} \
    --attributes Key=deletion_protection.enabled,Value=true

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration69no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3147no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)22no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)441no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)45no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)347no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)22no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)224no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events178no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events179no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked49no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks54no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration746no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency22no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81741no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy24no data