Findings

AWS Load Balancer missing deletion protection

Updated: June 19, 2025

findings cloud based findings api finding

Description

Severity: Info

The Application, Gateway, or Network Load Balancer currently has deletion protection disabled.

Deletion protection is a critical safeguard that prevents accidental or unauthorized deletion of the load balancer, which could disrupt traffic routing and result in downtime for connected services. Without deletion protection enabled, a load balancer can be inadvertently removed, leading to service outages, potential data loss, or disrupted communication between users and backend services.

Example Attack

An administrator mistakenly deletes a load balancer during routine maintenance without realizing its importance. This results in:

  • Immediate disruption of all traffic routing through the load balancer.
  • Downtime for services relying on the load balancer to connect users with backend resources.
  • Loss of user sessions and potential revenue impact for critical services.

Remediation

Enable deletion protection on the Application, Gateway, or Network Load Balancer to prevent accidental or malicious deletion. This can typically be done via the load balancer settings in your cloud provider's management console or using the corresponding API/CLI commands.

Security Frameworks

NIST 800-53.r5

NIST-CA-9(1): Internal System Connections | Compliance Checks

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

NIST-CM-2: Baseline Configuration

  1. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
  2. Review and update the baseline configuration of the system:
  1. [Assignment: organization-defined frequency];
  2. When required due to [Assignment: organization-defined circumstances]; and
  3. When system components are installed or upgraded.

NIST-CM-2(2): Baseline Configuration | Automation Support for Accuracy and Currency

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].

NIST-CM-3: Configuration Change Control

  1. Determine and document the types of changes to the system that are configuration-controlled;
  2. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
  3. Document configuration change decisions associated with the system;
  4. Implement approved configuration-controlled changes to the system;
  5. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];
  6. Monitor and review activities associated with configuration-controlled changes to the system; and
  7. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].

NIST-SC-5(2): Denial-of-service Protection | Capacity, Bandwidth, and Redundancy

Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
AWS ALB should redirect HTTP to HTTPS
Next (Findings - Design based findings)
API key in query string