Findings

AWS ALB has insecure desync mitigation mode

Updated: June 19, 2025

findings cloud based findings api finding

Description

The Application Load Balancer (ALB) is not configured with defensive or strictest desync mitigation mode.

Remediation

Update the desync mitigation mode of the Application Load Balancer.

Security Frameworks

NIST 800-53.r5

NIST-AC-4(21): Information Flow Enforcement | Physical or Logical Separation of Information Flows

Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].

NIST-CA-9(1): Internal System Connections | Compliance Checks

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

NIST-CM-2: Baseline Configuration

  1. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
  2. Review and update the baseline configuration of the system:
  1. [Assignment: organization-defined frequency];
  2. When required due to [Assignment: organization-defined circumstances]; and
  3. When system components are installed or upgraded.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
AppSync logging is not enabled
Next (Findings - Cloud based findings)
AWS ALB has WAF set to fail open