Risk Level: Low
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.AWS.CRY.11
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

ELB should not have elbListeners contain [ certificate.expiration before(30, 'days') ]

REMEDIATION

From Portal

Login to the AWS Management Console.
Navigate to EC2 dashboard
Go to Load Balancing and click Load Balancers.
Select the Elastic Load Balancer for which certificate is expiring in one month.
Navigate to the Load Balancer section, and then the Listeners tab. Select the listener and click on View/edit certificates tab, and then click Add Certificate. You can add or import ACM or IAM certificates from here.

From Command Line
Run below Command to replace the SSL certificates that are about to expire with new certificates uploaded to IAM.

aws iam upload-server-certificate --server-certificate-name EXAMPLE_CERTIFICATE --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem

Run below command to replace the ELB existing SSL certificate with the newly one uploaded to AWS IAM through upload command in previous step.

aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name EXAMPLE_NAME --load-balancer-port 443 --ssl-certificate-id EXAMPLE_CERTIFICATE_ID

References

Elastic Load Balancing (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Compliance Frameworks

AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HIPAA
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset