Amazon ELBv2
Amazon ELBv2 (Elastic Load Balancing v2) by Amazon Web Services (AWS) distributes incoming traffic across Application, Network, and Gateway load balancers. You can bring load balancer, target group, and target health data from Amazon ELBv2 into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Amazon ELBv2 and how to obtain that information from Amazon. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Amazon ELBv2 from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Amazon ELBv2 with Brinqa:
-
Access key ID and Secret access key: The access keys associated with the AWS account. The account must have the required read-only permissions for the Amazon ELBv2 service. For additional information, see Create an IAM user for AWS access.
-
Default region: The AWS region for the connector. If not specified, the connector uses the AWS Default Region Provider Chain.
Create an IAM user for AWS access
For the Amazon ELBv2 connector to interact with the AWS SDK and retrieve data, you must provide specific AWS credentials and permissions. To create an IAM user, follow these steps:
-
Log in to your organization's AWS Management Console as an administrator.
-
Navigate to the Identity and Access Management (IAM) dashboard.
-
From the navigation pane under Access management, click Users, and then click Create user.
-
Provide a User name, leave the Provide user access to AWS Management Console option unchecked, and then click Next.
-
Click the Attach policies directly option and then click Create policy.
-
Click the JSON tab and paste the following minimum required policy:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeTargetGroups","elasticloadbalancing:DescribeTargetHealth","elasticloadbalancing:DescribeTags"],"Resource": "*"}]} -
Click Next, provide a name for the policy, and then click Create policy.
-
Back on the Add permissions page, search for and select the policy you just created, and then click Next.
-
Click Create user.
Obtain access keys
After you have created an IAM user, generate the access keys that are required for the connector. To do so, follow these steps:
-
Navigate to the IAM dashboard.
-
From the navigation pane under Access management, click Users.
-
Choose the IAM user you created in the earlier steps.
-
Click the Security credentials tab and then click Create access key.
-
Select the Application running outside AWS use case and then click Next.
-
Provide a description and then click Create access key.
The access key ID and secret access key display. The secret access key is shown only once and cannot be retrieved again, so copy the key and save it to a secure location.
If you do not have the permissions to create access keys, contact your AWS administrator. For additional information, see AWS documentation.
The connector authenticates using the AWS SDK's credential resolution chain. If an assume-role ARN is configured, the connector assumes that IAM role using the provided credentials. Otherwise, it uses the provided access keys directly, falling back to the AWS Default Credential Provider Chain (environment variables, ~/.aws/credentials, or EC2 instance metadata).
Additional settings
The Amazon ELBv2 connector contains additional options for specific configuration:
- Assume role ARN: ARN of an IAM role to assume. Comma-separated to assume multiple roles in the same sync.
- Session duration: Assume-role session duration in seconds. The default setting is 3600.
- Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
- Parallel requests: The maximum number of parallel API requests. The default setting is 8.
- Maximum retries: The maximum number of times that the integration attempts to connect to the Amazon ELBv2 API before giving up and reporting a failure. The default setting is 10.
Types of data to retrieve
The Amazon ELBv2 connector can retrieve the following types of data from the Amazon ELBv2 API:
Table 1: Data retrieved from Amazon ELBv2
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| LoadBalancer | Yes | Cloud Resource |
| TargetGroup | Yes | Cloud Resource |
| TargetHealth | Yes | Cloud Resource |
The Amazon ELBv2 connector does not currently support operation options for the types of data it retrieves.
For detailed steps on how to view the data retrieved from Amazon ELBv2 in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
LoadBalancer
Table 2: LoadBalancer attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| DescribeTags.tagDescriptions[].tags | TAGS |
| Generated (derived: scheme == internet-facing) | IS_INTERNET_FACING |
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| LoadBalancer.availabilityZones[].subnetId | SUBNET_IDS |
| LoadBalancer.availabilityZones[].zoneName | AVAILABILITY_ZONES |
| LoadBalancer.createdTime | FIRST_SEEN |
| LoadBalancer.customerOwnedIpv4Pool | CUSTOMER_OWNED_IPV4_POOL |
| LoadBalancer.dnsName | DNS_NAMES |
| LoadBalancer.ipAddressTypeAsString | IP_ADDRESS_TYPE |
| LoadBalancer.loadBalancerArn | LOAD_BALANCER_ARN |
| LoadBalancer.loadBalancerArn | UID |
| LoadBalancer.loadBalancerName (fallback: ARN) | NAME |
| LoadBalancer.schemeAsString | SCHEME |
| LoadBalancer.securityGroups | SECURITY_GROUP_IDS |
| LoadBalancer.state().codeAsString | SOURCE_STATUS |
| LoadBalancer.typeAsString | TYPE |
| LoadBalancer.vpcId | VPC_ID |
| sync region | REGION |
TargetGroup
Table 3: TargetGroup attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| sync region | REGION |
| TargetGroup.healthCheckEnabled | HEALTH_CHECK_ENABLED |
| TargetGroup.healthCheckPath | HEALTH_CHECK_PATH |
| TargetGroup.healthCheckPort | HEALTH_CHECK_PORT |
| TargetGroup.healthCheckProtocolAsString | HEALTH_CHECK_PROTOCOL |
| TargetGroup.ipAddressTypeAsString | IP_ADDRESS_TYPE |
| TargetGroup.loadBalancerArns | LOAD_BALANCER_ARNS |
| TargetGroup.port | PORT |
| TargetGroup.protocolAsString | PROTOCOL |
| TargetGroup.protocolVersion | PROTOCOL_VERSION |
| TargetGroup.targetGroupArn | TARGET_GROUP_ARN |
| TargetGroup.targetGroupArn | UID |
| TargetGroup.targetGroupName (fallback: ARN) | NAME |
| TargetGroup.targetTypeAsString | TARGET_TYPE |
| TargetGroup.vpcId | VPC_ID |
TargetHealth
Table 4: TargetHealth attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
Generated (composite: targetGroupArn:targetId:port) | NAME |
Generated (composite: targetGroupArn:targetId:port) | UID |
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| sync region | REGION |
| TargetDescription.availabilityZone | TARGET_AVAILABILITY_ZONE |
| TargetDescription.id | TARGET_ID |
| TargetDescription.port | PORT |
| TargetGroup.targetGroupArn | TARGET_GROUP_ARN |
| TargetHealth.description | HEALTH_DESCRIPTION |
| TargetHealth.reasonAsString | HEALTH_REASON |
| TargetHealth.stateAsString | SOURCE_STATUS |
| TargetHealthDescription.healthCheckPort | HEALTH_CHECK_PORT |
APIs
The Amazon ELBv2 connector uses the Elastic Load Balancing API. Specifically, it uses the following endpoints:
Table 5: Amazon ELBv2 API endpoints
| Connector Object | API Endpoint |
|---|---|
| LoadBalancer | elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTags |
| TargetGroup | elasticloadbalancing:DescribeTargetGroups |
| TargetHealth | elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth |
Changelog
The Amazon ELBv2 connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 6: Amazon ELBv2 connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.1.0 | Initial Integration+ release. | June 1st, 2026 |