Risk Level: High
Cloud Entity: Application Load Balancer
CloudGuard Rule ID: D9.AWS.CRY.12
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

ApplicationLoadBalancer should not have listeners contain [ certificates contain [ expiration before(7, 'days') ] ]

REMEDIATION

From Portal

Login to the AWS Management Console.
Navigate to EC2 dashboard
Go to Load Balancing and click Load Balancers.
Select the Application Load Balancer for which certificate is expiring in one week.
Navigate to the Load Balancer section, and then the Listeners tab. Select the listener and click on View/edit certificates tab, and then click Add Certificate. You can add or import ACM or IAM certificates from here.

From Command Line
Run below Command to replace the SSL certificates that are about to expire with new certificates uploaded to IAM.

aws iam upload-server-certificate --server-certificate-name EXAMPLE_CERTIFICATE --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem

Run below command to replace the ELB existing SSL certificate with the newly one uploaded to AWS IAM through upload command in previous step.

aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name EXAMPLE_NAME --load-balancer-port 443 --ssl-certificate-id EXAMPLE_CERTIFICATE_ID

References

Application Load Balancer

An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.

Compliance Frameworks

AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HIPAA
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset