ALB is not configured with the defensive or strictest desync mitigation mode
Description
This policy is checking whether the Application Load Balancer (ALB) in AWS has been configured with defensive or strictest desync mitigation mode. The desync mitigation mode determines how the ALB handles mismatches between the request and the response sizes, which can be a potential cause for HTTP Desync attacks. The HTTP Desync attack can cause Distributed Denial of Service (DDoS) attacks, cache poisoning, and the theft of sensitive data. Therefore, having the ALB in a defensive or strictest mode helps in the mitigation of this potential risk by monitoring the size mismatches and acting accordingly. Thus, if the policy doesn't have this set, it implies a higher risk of vulnerability to HTTP Desync attacks.
Code Example
resource "aws_lb" "example" {
name = "example"
...
desync_mitigation_mode = "defensive"
...
}Remediation
Terraform
- Resource: "aws_lb", "aws_alb", "aws_elb"
- Arguments: desync_mitigation_mode
To fix this issue, you should specify the `desync_mitigation_mode` to a value other than `monitor`. This setting should be set to either `defensive` or `strictest`. Here's an example of how you might do this:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0375 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_328 |