AWS ELB security groups modified
Description
AlphaSOC detected that AWS Elastic Load Balancer (ELB) security groups were
modified using the ApplySecurityGroupsToLoadBalancer or SetSecurityGroups
actions. These actions change the security groups associated with a load
balancer, which control network access rules for traffic flowing through the
ELB.
Impact
Modification of AWS ELB security groups could expose previously protected resources to unauthorized access. This activity may lead to data exposure, service disruption, or enable lateral movement within the AWS environment if exploited by threat actors.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review the modified security group rules to identify any unauthorized changes, particularly new inbound rules from untrusted IP ranges or overly permissive configurations. Examine AWS CloudTrail logs to determine the source of this action and verify whether it was authorized. If unauthorized modifications are confirmed, immediately revert the security groups to their previous secure state, audit all recent ELB-related activities in CloudTrail, and rotate any potentially compromised credentials.