Ensure AWS Application Load Balancer (ALB) listeners block connection requests over HTTP

Checks for Application Load Balancer (ALB) listeners that are configured to accept connection requests over HTTP instead of HTTPS. It is recommended to use the HTTPS instead of HTTP, to encrypt the communication between the application clients and the application load balancer.

Risk Level: High
Cloud Entity: Application Load Balancer
CloudGuard Rule ID: D9.AWS.NET.40
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

ApplicationLoadBalancer should not have listeners contain [ protocol='HTTP' ]

REMEDIATION

From Portal

  1. Login to the AWS Management Console and open EC2 console at https://console.aws.amazon.com/ec2/.
  2. Select 'Load Balancers' (Left Panel)
  3. Select the Application Load Balancer
  4. Select 'Listeners' tab
  5. 'Edit' the 'Listener ID' rule that uses HTTP
  6. Select 'HTTPS' and other options in the 'Protocol : port'

From TF
Use HTTPS protocol instead of HTTP protocol :

resource "aws_lb_target_group" "test" {
	load_balancer_arn = aws_lb.front_end.arn
	port = 443
	- protocol = "HTTP"
	+ protocol = "HTTPS"
	ssl_policy        = "ELBSecurityPolicy-2016-08"
	certificate_arn   = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"
	
	default_action {
		type             = "forward"
		target_group_arn = aws_lb_target_group.front_end.arn
	}
}

From Command Line
To modify the existing load balancer , run:

aws elbv2 modify-listener --region us-east-1 --listener-arn ARN --default-actions file://FILE.json

OR
To create a new load balancer , run:

aws elbv2 create-listener --region us-east-1 --load-balancer-arn ARN --protocol HTTPS --port 443 --certificates CERTIFIATE --ssl-policy POLICY --default-actions Type=forward,TargetGroupArn=ARN

References

  1. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html
  2. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/tutorial-application-load-balancer-cli.html
  3. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html
  4. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html
  5. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener

Application Load Balancer

An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset