Updated tfsec aws-elb-drop-invalid-headers

Load balancers should drop invalid headers - Application load balancer is not set to drop invalid headers.

ID               - aws-elb-drop-invalid-headers
Severity     - High
Impact       - Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
Resolution - Set drop_invalid_header_fields to true

tfsec finding - https://aquasecurity.github.io/tfsec/v1.26.0/checks/aws/elb/drop-invalid-headers/ - Passing unknown or invalid headers through to the target poses a potential risk of compromise.

AWS - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

base/nessus/instance_security_center/elb.tf

@@ -2,12 +2,11 @@
 # INTERNAL LB
 #----------------------------------------------------------------------------
 resource "aws_alb" "security_center_internal" {
-  name               = "nessus-sc-alb-${var.environment}"
-  security_groups    = [aws_security_group.security_center_alb_server_internal.id]
-  internal           = true
-  subnets            = var.private_subnets
-  load_balancer_type = "application"
-
+  name                       = "nessus-sc-alb-${var.environment}"
+  security_groups            = [aws_security_group.security_center_alb_server_internal.id]
+  internal                   = true
+  subnets                    = var.private_subnets
+  load_balancer_type         = "application"
   drop_invalid_header_fields = true
 
   access_logs {

base/phantom/alb.tf

@@ -2,11 +2,12 @@
 # INTERNAL LB
 #----------------------------------------------------------------------------
 resource "aws_alb" "phantom_internal" {
-  name               = "phantom-alb-internal-${var.environment}"
-  security_groups    = [aws_security_group.phantom_alb_internal.id]
-  internal           = true
-  subnets            = var.public_subnets
-  load_balancer_type = "application"
+  name                       = "phantom-alb-internal-${var.environment}"
+  security_groups            = [aws_security_group.phantom_alb_internal.id]
+  internal                   = true
+  subnets                    = var.public_subnets
+  load_balancer_type         = "application"
+  drop_invalid_header_fields = true
 
   access_logs {
     bucket  = "xdr-elb-${var.environment}"

base/repo_server/lb_internal.tf

@@ -2,12 +2,11 @@
 # INTERNAL LB
 #----------------------------------------------------------------------------
 resource "aws_lb" "internal" {
-  name_prefix        = substr(var.instance_name, 0, 6)
-  security_groups    = [aws_security_group.alb_internal.id]
-  internal           = true
-  subnets            = var.public_subnets
-  load_balancer_type = "application"
-
+  name_prefix                = substr(var.instance_name, 0, 6)
+  security_groups            = [aws_security_group.alb_internal.id]
+  internal                   = true
+  subnets                    = var.public_subnets
+  load_balancer_type         = "application"
   drop_invalid_header_fields = true
 
   access_logs {

base/splunk_servers/alsi/elb-elastic.tf

@@ -1,10 +1,11 @@
 resource "aws_lb" "alsi-alb-elastic" {
-  count              = local.alsi_elastic_alb ? 1 : 0
-  name               = "${var.prefix}-alsi-alb-elastic"
-  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
-  load_balancer_type = "application"
+  count                      = local.alsi_elastic_alb ? 1 : 0
+  name                       = "${var.prefix}-alsi-alb-elastic"
+  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
+  load_balancer_type         = "application"
+  drop_invalid_header_fields = true
   # Not supported for NLB
-  security_groups = [aws_security_group.alsi-alb-elastic-sg.id]
+  security_groups    = [aws_security_group.alsi-alb-elastic-sg.id]
   # Note, changing subnets results in recreation of the resource
   subnets                          = var.subnets
   enable_cross_zone_load_balancing = true

base/splunk_servers/alsi/elb-hec.tf

@@ -1,8 +1,9 @@
 resource "aws_lb" "alsi-alb-hec" {
-  count              = local.alsi_hec_alb ? 1 : 0
-  name               = "${var.prefix}-alsi-alb-hec"
-  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
-  load_balancer_type = "application"
+  count                      = local.alsi_hec_alb ? 1 : 0
+  name                       = "${var.prefix}-alsi-alb-hec"
+  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
+  load_balancer_type         = "application"
+  drop_invalid_header_fields = true
   # Not supported for NLB
   security_groups = [aws_security_group.alsi-alb-hec-sg.id]
   # Note, changing subnets results in recreation of the resource

base/splunk_servers/alsi/elb-master.tf

@@ -1,7 +1,8 @@
 resource "aws_lb" "alsi-master-alb" {
-  name               = "${var.prefix}-alsi-master-alb"
-  internal           = true
-  load_balancer_type = "application"
+  name                       = "${var.prefix}-alsi-master-alb"
+  internal                   = true
+  load_balancer_type         = "application"
+  drop_invalid_header_fields = true
   security_groups    = [aws_security_group.alsi-master-alb-sg.id]
   # Note, changing subnets results in recreation of the resource
   subnets                          = var.subnets

base/splunk_servers/legacy_hec/elb-without-ack-internal.tf

@@ -46,9 +46,10 @@ resource "aws_lb" "hec_internal" {
   tags               = merge(local.standard_tags, var.tags)
   name               = "iratemoses"
   load_balancer_type = "application"
-  security_groups    = [data.aws_security_group.hec_internal_elb_security_group[0].id]
-  subnets            = var.private_subnets
-  internal           = true
+  security_groups            = [data.aws_security_group.hec_internal_elb_security_group[0].id]
+  subnets                    = var.private_subnets
+  internal                   = true
+  drop_invalid_header_fields = true
 }
 
 resource "aws_lb_listener" "hec_internal_443" {

base/splunk_servers/legacy_hec/elb-without-ack.tf

@@ -111,12 +111,13 @@ resource "aws_route53_record" "hec_cert_validation" {
 #########################
 # ELB
 resource "aws_lb" "hec" {
-  tags               = merge(local.standard_tags, var.tags)
-  name               = "${var.prefix}-legacy-hec"
-  load_balancer_type = "application"
-  security_groups    = [data.aws_security_group.hec_elb_security_group.id]
-  subnets            = var.public_subnets
-  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ELB requires Internet exposure
+  tags                       = merge(local.standard_tags, var.tags)
+  name                       = "${var.prefix}-legacy-hec"
+  load_balancer_type         = "application"
+  security_groups            = [data.aws_security_group.hec_elb_security_group.id]
+  subnets                    = var.public_subnets
+  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ELB requires Internet exposure
+  drop_invalid_header_fields = true
 }
 
 resource "aws_lb_listener" "hec_443" {

base/teleport-single-instance/alb-internal.tf

@@ -7,7 +7,8 @@ resource "aws_alb" "internal" {
   security_groups    = [aws_security_group.alb_server_internal.id]
   internal           = true
   subnets            = var.subnets
-  load_balancer_type = "application"
+  load_balancer_type         = "application"
+  drop_invalid_header_fields = true
 
   access_logs {
     bucket  = "xdr-elb-${var.environment}"

base/teleport-single-instance/alb.tf

@@ -3,11 +3,12 @@
 #----------------------------------------------------------------------------
 
 resource "aws_alb" "external" {
-  name               = "${var.instance_name}-alb-external-${var.environment}"
-  security_groups    = [aws_security_group.alb_server_external.id]
-  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
-  subnets            = var.subnets
-  load_balancer_type = "application"
+  name                       = "${var.instance_name}-alb-external-${var.environment}"
+  security_groups            = [aws_security_group.alb_server_external.id]
+  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
+  subnets                    = var.subnets
+  load_balancer_type         = "application"
+  drop_invalid_header_fields = true
 
   access_logs {
     bucket  = "xdr-elb-${var.environment}"

base/threatquotient/alb.tf

@@ -2,11 +2,12 @@
 # INTERNAL LB
 #----------------------------------------------------------------------------
 resource "aws_alb" "internal" {
-  name               = "${local.server_name_stem}-alb-internal-${var.environment}"
-  security_groups    = [aws_security_group.alb_internal.id]
-  internal           = true
-  subnets            = var.public_subnets
-  load_balancer_type = "application"
+  name                       = "${local.server_name_stem}-alb-internal-${var.environment}"
+  security_groups            = [aws_security_group.alb_internal.id]
+  internal                   = true
+  subnets                    = var.public_subnets
+  load_balancer_type         = "application"
+  drop_invalid_header_fields = true
 
   access_logs {
     bucket  = "xdr-elb-${var.environment}"

base/vmray_instances/alb.tf

@@ -2,12 +2,11 @@
 # INTERNAL LB
 #----------------------------------------------------------------------------
 resource "aws_alb" "vmray_internal" {
-  name               = "vmray-alb-internal-${var.environment}"
-  security_groups    = [aws_security_group.vmray_alb_internal.id]
-  internal           = true
-  subnets            = var.public_subnets
-  load_balancer_type = "application"
-
+  name                       = "vmray-alb-internal-${var.environment}"
+  security_groups            = [aws_security_group.vmray_alb_internal.id]
+  internal                   = true
+  subnets                    = var.public_subnets
+  load_balancer_type         = "application"
   drop_invalid_header_fields = true
 
   access_logs {

submodules/load_balancer/public_alb/elb.tf

@@ -2,11 +2,12 @@
 # EXTERNAL LB
 #----------------------------------------------------------------------------
 resource "aws_lb" "server_external" {
-  name_prefix        = local.prefix
-  security_groups    = [aws_security_group.alb.id]
-  internal           = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
-  subnets            = var.subnets
-  load_balancer_type = "application"
+  name_prefix                = local.prefix
+  security_groups            = [aws_security_group.alb.id]
+  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
+  subnets                    = var.subnets
+  load_balancer_type         = "application"
+  drop_invalid_header_fields = true
 
   access_logs {
     bucket  = "xdr-elb-${var.environment}"