AWS Elastic Load Balancer (Classic) with cross-zone load balancing disabled

Description

Cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled Availability Zone, and improves your application's ability to handle the loss of one or more instances. This would also guarantee better fault tolerance and more consistent traffic flow. If one of the availability zones registered with the ELB fails (as result of network outage or power loss), the load balancer with the Cross-Zone Load Balancing activated would act as a traffic guard, stopping any request being sent to the unhealthy zone and routing it to the other zones.

Code Example

resource "aws_elb" "test_success" {
              name               = "foobar-terraform-elb"
              availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
              access_logs {
                bucket        = "foo"
                bucket_prefix = "bar"
                interval      = 60
              }
              listener {
                instance_port     = 8000
                instance_protocol = "http"
                lb_port           = 80
                lb_protocol       = "http"
              }
              listener {
                instance_port      = 8000
                instance_protocol  = "http"
                lb_port            = 443
                lb_protocol        = "https"
                ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
              }
              health_check {
                healthy_threshold   = 2
                unhealthy_threshold = 2
                timeout             = 3
                target              = "HTTP:8000/"
                interval            = 30
              }
              instances                   = [aws_instance.foo.id]
              idle_timeout                = 400
              connection_draining         = true
              connection_draining_timeout = 400
            }
            """)
        resource_conf = hcl_res['resource'][0]['aws_elb']['test_success']
        scan_result = check.scan_resource_conf(conf=resource_conf)
        self.assertEqual(CheckResult.PASSED, scan_result)

    def test_success(self):
        hcl_res = hcl2.loads("""
            resource "aws_elb" "test_success" {
              name               = "foobar-terraform-elb"
              availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
              access_logs {
                bucket        = "foo"
                bucket_prefix = "bar"
                interval      = 60
              }
              listener {
                instance_port     = 8000
                instance_protocol = "http"
                lb_port           = 80
                lb_protocol       = "http"
              }
              listener {
                instance_port      = 8000
                instance_protocol  = "http"
                lb_port            = 443
                lb_protocol        = "https"
                ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
              }
              health_check {
                healthy_threshold   = 2
                unhealthy_threshold = 2
                timeout             = 3
                target              = "HTTP:8000/"
                interval            = 30
              }
              instances                   = [aws_instance.foo.id]
+             cross_zone_load_balancing   = true
              idle_timeout                = 400
              connection_draining         = true
              connection_draining_timeout = 400
            }

Remediation

Terraform

• Resource: xyz
• Arguments: xyz [this will be for composite checks and will indicate a specific resource]

Rule Details

Field	Value
ID	IAC-0188
Severity	LOW
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV_AWS_138

References

• Checkov Rule

---