- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing
- App-Tier ELB Listener Security
Ensure that your app-tier Amazon Classic Load Balancer listeners are using a secure protocol such as HTTPS or SSL to encrypt the communication between the clients and the load balancers. This conformity rule assumes that all the AWS cloud resources created within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the app-tier tags must be configured in the rule settings, on your Conformity account console.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When an app-tier Classic Load Balancer has no listener configured to use secure protocols like HTTPS or SSL, the front-end connection between the application clients and the load balancer is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when the application behind the load balancer is working with sensitive data such as health and personal records, credentials, and credit card numbers.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the app tier.
Audit
To check your app-tier Classic Load Balancer listeners for secure (HTTPS/SSL) configurations, perform the following operations:
Using AWS Console
01 Sign in to your Trend Cloud One™ – Conformity account, access Enable HTTPS/SSL Listener for App-Tier Load Balancers conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Sign in to the AWS Management Console.
03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
04 In the main navigation panel, under Load Balancing, choose Load Balancers.
05 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.
06 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>), then press Enter. This filtering technique will return only the load balancers tagged for the app tier. If no results are returned by the console, there are no Classic Load Balancers tagged within your app tier and the Audit process ends here. If the Amazon EC2 console returns one or more load balancers, continue the Audit with the next step.
07 Select the app-tier Classic Load Balancer that you want to examine.
08 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.
09 Check the protocol of each listener configured for the selected load balancer, available in the Load Balancer Protocol column. If there are no listeners with the HTTPS (Secure HTTP) or the SSL (Secure TCP) protocol, the listeners configuration available for the selected app-tier Classic Load Balancer is not secure and the front-end connection between the clients and the load balancer is not encrypted.
10 Repeat steps no. 7 – 9 for each app-tier Classic Load Balancer provisioned within the current AWS region.
11 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Sign in to your Trend Cloud One™ – Conformity account, access Enable HTTPS/SSL Listener for App-Tier Load Balancers conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).
02 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region:
aws elb describe-load-balancers --region us-east-1 --query 'LoadBalancerDescriptions[*].LoadBalancerName'
03 The command output should return an array with the requested load balancer name(s):
[ "cc-project5-load-balancer", "cc-frontend-load-balancer" ]
04 Run describe-tags command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the tag sets defined for the selected load balancer:
aws elb describe-tags --region us-east-1 --load-balancer-name cc-project5-load-balancer --query 'TagDescriptions[*].Tags[]'
05 The describe-tags command request should return one of the following outputs:
- If the command output returns an empty array (i.e. []), as shown in the example below, the verified Classic Load Balancer is not tagged at all, therefore the Audit process for the selected resource ends here:
[]
- If the describe-tags command output returns a tag set that is different from the one defined for your web/app/data tier, as shown in the example below, the verified load balancer is not a component of the web/app/data tier, therefore the Audit process for the selected resource ends here:
[ { "Value": "Admin", "Key": "DevopsTeam" } ]
- If the tag set returned by the describe-tags command output reveals that the selected load balancer is a component of a app tier, as shown in the example below, the Audit process continues with the next step:
[ { "Key": "<app_tier_tag>", "Value": "<app_tier_tag_value>" } ]
06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the app-tier load balancer that you want to examine as the identifier parameter, to determine if the selected load balancer is using secure listeners (HTTPS or SSL):
aws elb describe-load-balancers --region us-east-1 --load-balancer-name cc-project5-load-balancer --query "LoadBalancerDescriptions[*].{ListenerDescriptions:ListenerDescriptions[?Listener.Protocol == 'HTTPS' || Listener.Protocol == 'SSL']}"
07 The command output should list the HTTPS/SSL listeners configuration available for the selected load balancer:
[ { "ListenerDescriptions": [] } ]
If value of the "ListenerDescriptions" property is an empty array, as shown in the output example above, there are no HTTPS and/or SSL listeners configured for the verified load balancer, therefore the listeners configuration available for the selected app-tier Classic Load Balancer is not secure and the front-end traffic is not encrypted.
08 Repeat steps no. 6 and 7 for each app-tier Classic Load Balancer provisioned in the selected AWS region.
09 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To secure the connection between the clients and the app-tier load balancer by using SSL encryption, update your Classic Load Balancer configuration to use listeners with HTTPS or SSL protocols. To implement HTTPS/SSL protocol for your app-tier load balancer listeners, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Use HTTPS Listener for App-Tier Classic Load Balancer", "Resources": { "ClassicLoadBalancer": { "Type" : "AWS::ElasticLoadBalancing::LoadBalancer", "Properties" : { "LoadBalancerName" : "cc-project5-load-balancer", "Scheme" : "internet-facing", "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ], "Subnets" : [ "subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234" ], "Instances" : [ "i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd" ], "HealthCheck": { "Target": "HTTP:80/index.html", "HealthyThreshold": "10", "UnhealthyThreshold": "2", "Interval": "50", "Timeout": "5" },"Listeners": [{ "InstancePort": "80", "InstanceProtocol": "HTTP", "LoadBalancerPort": "443", "Protocol": "HTTPS", "PolicyNames": [ "cc-secure-negotiation-policy" ], "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/cc-production-certificate" }]
, "Policies": [{ "PolicyName": "cc-secure-negotiation-policy", "PolicyType": "SSLNegotiationPolicyType", "Attributes": [{ "Name": "Reference-Security-Policy", "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" }] }],"Tags" : [{ "Key" : "<app_tier_tag>", "Value" : "<app_tier_tag_value>" }]
} } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Use HTTPS Listener for App-Tier Classic Load Balancer Resources: ClassicLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: LoadBalancerName: cc-project5-load-balancer Scheme: internet-facing SecurityGroups: - sg-0abcdabcdabcdabcd Subnets: - subnet-0abcd1234abcd1234 - subnet-0abcdabcdabcdabcd - subnet-01234abcd1234abcd - subnet-01234123412341234 Instances: - i-0abcd1234abcd1234 - i-0abcdabcdabcdabcd HealthCheck: Target: HTTP:80/index.html HealthyThreshold: '10' UnhealthyThreshold: '2' Interval: '50' Timeout: '5' Listeners: - InstancePort: '80' InstanceProtocol: HTTP LoadBalancerPort: '443' Protocol: HTTPS PolicyNames: - cc-secure-negotiation-policy SSLCertificateId: arn:aws:iam::123456789012:server-certificate/cc-production-certificate Policies: - PolicyName: cc-secure-negotiation-policy PolicyType: SSLNegotiationPolicyType Attributes: - Name: Reference-Security-Policy Value: ELBSecurityPolicy-TLS-1-2-2017-01 Tags: - Key: <app_tier_tag> Value: <app_tier_tag_value>
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_elb" "classic-load-balancer" {
name = "cc-project5-load-balancer"
internal = false
security_groups = ["sg-0abcdabcdabcdabcd"]
subnets = ["subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234"]
instances = ["i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd"]
health_check {
healthy_threshold = 10
unhealthy_threshold = 2
timeout = 5
target = "HTTP:80/index.html"
interval = 50
}
# Use HTTPS Listener for App-Tier Classic Load Balancer
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 443
lb_protocol = "https"
ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/cc-production-certificate"
}
tags = {
Name = "<app_tier_tag>"
Value = "<app_tier_tag_value>"
}
}
resource "aws_load_balancer_policy" "cc-ssl-negotiation-policy" {
load_balancer_name = aws_elb.classic-load-balancer.name
policy_name = "cc-secure-negotiation-policy"
policy_type_name = "SSLNegotiationPolicyType"
policy_attribute {
name = "Reference-Security-Policy"
value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
}
resource "aws_load_balancer_listener_policy" "cc-https-listener-policy" {
load_balancer_name = aws_elb.classic-load-balancer.name
load_balancer_port = 443
policy_names = [
aws_load_balancer_policy.cc-ssl-negotiation-policy.policy_name
]
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.
05 Select the app-tier Classic Load Balancer that you want to reconfigure.
06 Select the Listeners tab from the console bottom panel and choose Edit to update the listeners configuration.
07 Inside the Edit listeners configuration box, perform the following operations:
- Choose Add to create a new listener.
- Select HTTPS (Secure HTTP) or SSL (Secure TCP) from the Load Balancer Protocol dropdown list.
- In the Cipher column, choose Change, select the Predefined Security Policy option, and choose the latest security policy available in the policy dropdown list (e.g. ELBSecurityPolicy-TLS-1-2-2017-01). If you want to use a custom policy, select Custom Security Policy and configure your own TLS/SSL policy. Choose Save to apply the changes.
- In the SSL Certificate column, select Change, and choose one of the following options:
- Select Choose a certificate from ACM (recommended) and select an existing SSL certificate purchased via Amazon Certificate Manager (ACM) from the Certificate dropdown list. If you haven’t purchased one yet, choose Request a new certificate from ACM and the AWS Management Console will redirect your request to the ACM service console where you can buy the required SSL/TLS certificate. Choose Save to apply the changes.
- Select Choose a certificate from IAM and select an existing SSL/TLS certificate uploaded previously to Amazon IAM from the Certificate dropdown list. Choose Save to apply the changes.
- Select Upload a certificate to IAM to deploy an existing SSL certificate by pasting the required information (in PEM-encoded format) to the Private key, Certificate body and Certificate chain (optional) boxes, information granted by the SSL provider from which you bought the certificate. Once the necessary keys are validated, enter a name for the new certificate in the Certificate name box. Choose Save to apply the changes.
08 Back to the Edit listeners box, review the configuration for the secure listener, then choose click Save to deploy the new listener. If successful, the following confirmation message should be displayed: "Finished updating listeners. Your listeners have been successfully updated.". Choose Close to return to the Amazon EC2 console.
09 Repeat steps no. 5 – 8 for each app-tier Classic Load Balancer that you want to reconfigure, available within the current AWS region.
10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Depending on the AWS cloud service used to manage your TLS/SSL certificates, perform one of the following actions:
- Get the Amazon Resource Name (ARN) of the SSL certificate purchased via Amazon ACM. The certificate ARN will be required during HTTPS/SSL listener configuration:
- Run list-certificates command (OSX/Linux/UNIX) to describe the ARN(s) and domain name(s) of the SSL certificate(s) purchased with Amazon ACM:
aws acm list-certificates --region us-east-1
- The command output should return the requested information:
{ "CertificateSummaryList": [ { "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012", "DomainName": "www.domain.com" } ] }
- Run list-certificates command (OSX/Linux/UNIX) to describe the ARN(s) and domain name(s) of the SSL certificate(s) purchased with Amazon ACM:
- Get the ARN of your SSL certificate(s) uploaded to Amazon IAM:
- Run list-server-certificates command (OSX/Linux/UNIX) to describe the metadata (certificate ARN(s), name(s), etc.), available for the SSL certificate(s) uploaded to Amazon IAM:
aws iam list-server-certificates
- The command output should return the requested metadata:
{ "ServerCertificateMetadataList": [ { "ServerCertificateName": "cc-production-certificate", "Expiration": "2022-06-07T23:59:59Z", "Path": "/", "Arn": "arn:aws:iam::123456789012:server-certificate/cc-production-certificate", "UploadDate": "2021-06-07T23:59:59Z" } ] }
- Run list-server-certificates command (OSX/Linux/UNIX) to describe the metadata (certificate ARN(s), name(s), etc.), available for the SSL certificate(s) uploaded to Amazon IAM:
02 Run create-load-balancer-listeners command (OSX/Linux/UNIX) to create a new, secure HTTPS listener for your app-tier load balancer using the SSL certificate identified at the previous step. The following command example creates a front-end HTTPS listener for a app-tier load balancer named "cc-project5-load-balancer" using an SSL certificate identified by the ARN "arn:aws:iam::123456789012:server-certificate/cc-production-certificate" (the command does not produce an output):
aws elb create-load-balancer-listeners --region us-east-1 --load-balancer-name cc-project5-load-balancer --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=arn:aws:iam::123456789012:server-certificate/cc-production-certificate
03 Repeat step no. 2 for each app-tier Classic Load Balancer that you want to reconfigure, available in the selected AWS region.
04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- What Is Elastic Load Balancing?
- Listeners for your Classic Load Balancer
- Configure an HTTPS listener for your Classic Load Balancer
- Update the SSL negotiation configuration of your Classic Load Balancer
- AWS Command Line Interface (CLI) Documentation
- elb
- describe-load-balancers
- describe-tags
- create-load-balancer-listeners
- list-certificates
- list-server-certificates
- CloudFormation Documentation
- AWS::ElasticLoadBalancing::LoadBalancer
- Terraform Documentation
- AWS Provider