ELB Rules
These rules identify load balancers with no registered targets. Idle load balancers incur minimum hourly charges with no traffic flowing through them.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-ELB-1 | Discovery | Application Load Balancer Without Targets |
| CLDBRN-AWS-ELB-2 | Discovery | Classic Load Balancer Without Instances |
| CLDBRN-AWS-ELB-3 | Discovery | Gateway Load Balancer Without Targets |
CLDBRN-AWS-ELB-1
Application Load Balancer Without Targets
Scan type: Discovery
What it checks
Flags Application Load Balancers (ALBs) that have no target groups or have target groups with zero registered targets. An ALB with no targets cannot route any traffic and serves no purpose.
Why it matters
ALBs have a minimum hourly charge of approximately $0.022/hour (~$16/month) plus LCU charges, regardless of traffic. An idle ALB with no targets generates this cost indefinitely with zero utility.
What triggers a finding
The ALB has no target groups attached, or all attached target groups have zero registered targets.
How to remediate
Delete the idle ALB. If the ALB was created in anticipation of a future deployment, delete it and recreate it when the deployment is ready — the setup cost is minimal compared to weeks or months of idle charges.
aws elbv2 delete-load-balancer --load-balancer-arn arn:aws:elasticloadbalancing:...
CLDBRN-AWS-ELB-2
Classic Load Balancer Without Instances
Scan type: Discovery
What it checks
Flags Classic Load Balancers (CLBs) that have zero EC2 instances attached. Classic Load Balancers are a deprecated generation of AWS load balancers and should be migrated to ALB or NLB in addition to being cleaned up when idle.
Why it matters
CLBs charge per hour regardless of attached instances or traffic volume. An idle CLB with no instances accumulates charges with no benefit. CLBs are also a deprecated service — AWS no longer adds features and the migration path to ALB/NLB provides better functionality at lower cost for most workloads.
What triggers a finding
The CLB has zero instances attached.
How to remediate
Delete the Classic Load Balancer. If it was actively used, migrate to an Application Load Balancer (HTTP/HTTPS) or Network Load Balancer (TCP/UDP) before deleting.
aws elb delete-load-balancer --load-balancer-name my-classic-elb
CLDBRN-AWS-ELB-3
Gateway Load Balancer Without Targets
Scan type: Discovery
What it checks
Flags Gateway Load Balancers (GWLBs) that have no target groups or have target groups with zero registered targets. GWLBs with no targets cannot process any traffic.
Why it matters
GWLBs have a minimum hourly charge similar to other load balancer types, plus per-GB data processing fees. An idle GWLB generates base hourly costs with no traffic throughput.
What triggers a finding
The GWLB has no target groups attached, or all attached target groups have zero registered targets.
How to remediate
Delete the idle Gateway Load Balancer. GWLBs are typically used for inline network appliances (firewalls, IDS/IPS). If the appliance fleet was decommissioned, the GWLB should be deleted as well.
aws elbv2 delete-load-balancer --load-balancer-arn arn:aws:elasticloadbalancing:...
See Also
- CLI discover command — scan live load balancers
- SDK Reference — run discovery programmatically