Home

This section provides best practices related to security and covers both Application Load Balancer (ALB) and Network Load Balancer (NLB).

How to use this guide

This guide is meant to provide generic best practices for architects, developers and engineers responsible for designing, deploying and operating a system that leverage Amazon Elastic Load Balancer (ELB) for traffic distribution.

This guide covers two types of Elastic Load Balancing services: Application Load Balancer (ALB) and Network Load Balancer (NLB). Unless stated otherwise in a specific section, the best practice are applicable to both. We may sometimes use term 'ELB' (Elastic Load Balancing) to refer collectively to both ALB and NLB.

Each topic presents a brief overview, followed by recommendations and best practices. Topics can be read in any order order and it's essential to test and validate recommendations to ensure they align with your specific requirements.

Security Overview

Elastic Load Balancing (ELB) is built and managed with security as a top priority.

Security is a shared responsibility between AWS and the customer. Generally speaking, AWS is responsible for the “Security of the Cloud” while the customer is responsible for the “Security in the Cloud”. To understand what this means in the context of ELB, refer to the image below:

A few examples can help clarify these responsibility boundaries:

• AWS is responsible for patching the load balancer software in case it becomes affected by a new Common Vulnerabilities and Exploits (CVE), while the customer is responsible for doing the same for the software running on the targets.
• The customer is responsible for configuring a TLS listener, while ELB is responsible for the TLS implementation running in the load balancer nodes.

References and Further Reading

Security in Elastic Load Balancing

Shared Responsibility Model

In this Guide

• Data Protection
• Incident Response
• Infrastructure Protection
• Security Assurance
• Vulnerability Management

Feedback

This guide is being released on GitHub to collect direct feedback and suggestions from the broader AWS Cloud community. If you have a best practice that you feel we ought to include in the guide, please file an issue or submit a PR in the GitHub repository. We intend to update the guide periodically as new features are added to the service or when a new best practice evolves.