These rules identify load balancers across all types (ALB, CLB, GWLB, NLB) with no registered targets or negligible traffic. Idle load balancers incur minimum hourly charges with no traffic flowing through them.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-ELB-1 | Discovery | Application Load Balancer Without Targets |
| CLDBRN-AWS-ELB-2 | Discovery | Classic Load Balancer Without Instances |
| CLDBRN-AWS-ELB-3 | Discovery | Gateway Load Balancer Without Targets |
| CLDBRN-AWS-ELB-4 | Discovery | Network Load Balancer Without Targets |
| CLDBRN-AWS-ELB-5 | Discovery | Load Balancer Idle |
CLDBRN-AWS-ELB-1
Application Load Balancer Without Targets
Scan type: Discovery
What it checks
Flags Application Load Balancers (ALBs) that have no target groups or have target groups with zero registered targets. An ALB with no targets cannot route any traffic and serves no purpose.
Why it matters
ALBs have a minimum hourly charge of approximately $0.022/hour (~$16/month) plus LCU charges, regardless of traffic. An idle ALB with no targets generates this cost indefinitely with zero utility.
What triggers a finding
The ALB has no target groups attached, or all attached target groups have zero registered targets.
How to remediate
Delete the idle ALB. If the ALB was created in anticipation of a future deployment, delete it and recreate it when the deployment is ready — the setup cost is minimal compared to weeks or months of idle charges.
aws elbv2 delete-load-balancer --load-balancer-arn arn:aws:elasticloadbalancing:...
CLDBRN-AWS-ELB-2
Classic Load Balancer Without Instances
Scan type: Discovery
What it checks
Flags Classic Load Balancers (CLBs) that have zero EC2 instances attached. Classic Load Balancers are a deprecated generation of AWS load balancers and should be migrated to ALB or NLB in addition to being cleaned up when idle.
Why it matters
CLBs charge per hour regardless of attached instances or traffic volume. An idle CLB with no instances accumulates charges with no benefit. CLBs are also a deprecated service — AWS no longer adds features and the migration path to ALB/NLB provides better functionality at lower cost for most workloads.
What triggers a finding
The CLB has zero instances attached.
How to remediate
Delete the Classic Load Balancer. If it was actively used, migrate to an Application Load Balancer (HTTP/HTTPS) or Network Load Balancer (TCP/UDP) before deleting.
aws elb delete-load-balancer --load-balancer-name my-classic-elb
CLDBRN-AWS-ELB-3
Gateway Load Balancer Without Targets
Scan type: Discovery
What it checks
Flags Gateway Load Balancers (GWLBs) that have no target groups or have target groups with zero registered targets. GWLBs with no targets cannot process any traffic.
Why it matters
GWLBs have a minimum hourly charge similar to other load balancer types, plus per-GB data processing fees. An idle GWLB generates base hourly costs with no traffic throughput.
What triggers a finding
The GWLB has no target groups attached, or all attached target groups have zero registered targets.
How to remediate
Delete the idle Gateway Load Balancer. GWLBs are typically used for inline network appliances (firewalls, IDS/IPS). If the appliance fleet was decommissioned, the GWLB should be deleted as well.
aws elbv2 delete-load-balancer --load-balancer-arn arn:aws:elasticloadbalancing:...
CLDBRN-AWS-ELB-4
Network Load Balancer Without Targets
Scan type: Discovery
What it checks
Flags Network Load Balancers (NLBs) that have no target groups or have target groups with zero registered targets. An NLB with no targets cannot route any traffic.
Why it matters
NLBs charge a minimum hourly fee plus per-NLCU data processing costs. An idle NLB with no registered targets generates base hourly charges with no traffic flowing through it. NLBs are commonly provisioned for services that later get decommissioned, leaving the load balancer behind.
What triggers a finding
The NLB has no target groups attached, or all attached target groups have zero registered targets.
How to remediate
Delete the idle Network Load Balancer. If the targets were temporarily removed for a maintenance window, re-register them. Otherwise, clean up the NLB:
aws elbv2 delete-load-balancer --load-balancer-arn arn:aws:elasticloadbalancing:...
CLDBRN-AWS-ELB-5
Load Balancer Idle
Scan type: Discovery
What it checks
Flags load balancers whose 14-day average request count stays below 10 requests per day. This rule only fires when the load balancer is not already flagged by the corresponding empty-targets rule (ELB-1 through ELB-4).
Why it matters
Load balancers incur an hourly charge regardless of traffic. An ALB costs roughly $16/month in fixed charges plus LCU charges. An NLB charges similarly. A load balancer receiving fewer than 10 requests per day is effectively idle and wasting money.
What triggers a finding
averageRequestsPerDayLast14Days is not null AND is less than 10, AND the load balancer is not already flagged by the corresponding empty-targets cleanup rule (de-duplicates with ELB-1/2/3/4).
How to remediate
Determine whether the service behind the load balancer is still needed. If the service is decommissioned, delete the load balancer, its listeners, and target groups. If the service has minimal traffic, consider using API Gateway or a shared load balancer instead of a dedicated one.
aws elbv2 delete-load-balancer --load-balancer-arn arn:aws:elasticloadbalancing:...
See Also
- CLI discover command — scan live load balancers
- SDK Reference — run discovery programmatically