ELB is setup with HTTPS for secure communication

Ensure that ELB is configured with HTTPS, for secure communication. Covers standards HTTPS and AWS Proxy Protocol Config; see https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/using-elb-listenerconfig-quickref.html

Risk Level: High
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.AWS.CRY.02
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

ELB should have elbListeners contain [(sourceProtocol='HTTPS' and instanceProtocol='HTTPS')]

REMEDIATION

From Portal

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
  3. Select a load balancer, and choose Listeners, Add listener.
  4. For Protocol : port, choose HTTPS and keep the default port or enter a different port.
  5. (Optional) To authenticate users, for Default actions, choose Add action, Authenticate and provide the requested information. To save the action, choose the Checkmark icon. For more information, see Authenticate users using an Application Load Balancer.
  6. For Default actions, do one of the following:
    a. Choose Add action, Forward to and choose a target group.
    b. Choose Add action, Redirect to and provide the URL for the redirect. For more information, see Redirect actions.
    c. Choose Add action, Return fixed response and provide a response code and optional response body. For more information, see Fixed-response actions.
    To save the action, choose the Checkmark icon.
  7. For Security policy, we recommend that you keep the default security policy.
  8. For Default SSL certificate, do one of the following:
    a. If you created or imported a certificate using AWS Certificate Manager, choose From ACM and choose the certificate.
    b. If you uploaded a certificate using IAM, choose From IAM and choose the certificate.
  9. Choose Save.

From TF

resource "aws_elb" "example" {
	name               = "example"
	availability_zones = ["example1", "example2"]
	listener {
		instance_port     = 8000
		instance_protocol = "https"
		lb_port           = 80
		lb_protocol       = "https"
	}
}

From Command Line

aws elb create-load-balancer-listeners --region REGION_NAME --load-balancer-arn LOAD_BALANCER_ARN --protocol HTTPS --port 443 --certificates CERTIFICATE_ARN --ssl-policy ELBSecurityPolicy-2016-08

References

  1. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
  2. https://docs.aws.amazon.com/cli/latest/reference/elbv2/create-listener.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elb

Elastic Load Balancing (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset