ELB secured listener certificate expires in one week
Ensure that SSL/TLS certificates stored in AWS IAM are renewed one week before expiry.
Risk Level: High
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.AWS.CRY.10
Covered by Spectral: No
Category: Networking & Content Delivery
GSL LOGIC
ELB should not have elbListeners contain [ certificate.expiration before(7, 'days') ]
REMEDIATION
From Portal
- Login to the AWS Management Console.
- Navigate to EC2 dashboard
- Go to Load Balancing and click Load Balancers.
- Select the Elastic Load Balancer for which certificate is expiring in one week.
- Navigate to the Load Balancer section, and then the Listeners tab. Select the listener and click on View/edit certificates tab, and then click Add Certificate. You can add or import ACM or IAM certificates from here.
From Command Line
Run below Command to replace the SSL certificates that are about to expire with new certificates uploaded to IAM.
aws iam upload-server-certificate --server-certificate-name EXAMPLE_CERTIFICATE --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem
Run below command to replace the ELB existing SSL certificate with the newly one uploaded to AWS IAM through upload command in previous step.
aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name EXAMPLE_NAME --load-balancer-port 443 --ssl-certificate-id EXAMPLE_CERTIFICATE_ID
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
- https://aws.amazon.com/certificate-manager/
- https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html
Elastic Load Balancing (ELB)
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.
Compliance Frameworks
- AWS CSA CCM v.3.0.1
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago