Add SSL/TLS Server Certificates to App-Tier ELBs

Risk Level: High (not acceptable risk)

Ensure that your app-tier AWS Elastic Load Balancers (ELBs) are using SSL/TLS certificates to encrypt the communication between your application users and the load balancer. When you use HTTPS/SSL for the ELB front-end listeners, you must deploy an SSL/TLS (X.509) certificate on your load balancer. An X.509 certificate is a digital form of identification issued by a trusted certificate authority. This certificate is used by the app-tier ELB to terminate the connection and decrypt requests from users before sending them to the backend instances. This conformity rule assumes that all AWS resources available in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be specified on the Cloud Conformity dashboard, in the rule settings.

Security

Attaching valid SSL/TLS (X.509) certificates to ELB HTTPS/SSL listeners will make sure that the front-end traffic is encrypted and the application data is protected against eavesdropping and sniffing attacks.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To determine if your app-tier ELBs have SSL/TLS certificates attached to HTTPS/SSL listeners, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Add SSL/TLS Server Certificates to App-Tier ELBs conformity rule settings and copy the tags defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under LOAD BALANCING, click Load Balancers.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering method will return only the load balancers tagged for the app tier. If no results are returned, there are no ELBs tagged within your app tier and the audit process ends here. If the EC2 dashboard lists one or more load balancers, continue the audit process with the next step.

06 Select the app-tier ELB that you want to examine.

07 Select the Listeners tab from the bottom panel.

08 Under Load Balancer Protocol column, check for any listeners with HTTPS (Secure HTTP) or SSL (Secure TCP) protocols. If there are no HTTPS/SSL listeners created, the selected app-tier ELB does not use any SSL/TLS server certificates to encrypt the front-end connection between the application users and the load balancer.

09 Repeat steps no. 6 – 8 to determine if other ELBs created for your app tier in the selected AWS region, have SSL/TLS server certificates attached.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

Using AWS CLI

02 Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs provisioned in the selected AWS region:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aws elb describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested ELB names:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

-----------------------
|DescribeLoadBalancers|
+---------------------+
|  cc-main-app-elb    |
+---------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the selected ELB resource:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aws elb describe-tags
	--region us-east-1
	--load-balancer-name cc-main-app-elb
	--query 'TagDescriptions[*].Tags[]'

05 The command request should return one of the following outputs:

If describe-tags command output returns an empty array, as shown in the example below, the verified ELB is not tagged, therefore the audit process for the selected resource ends here:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
```
[]
```
If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified ELB does not belong to your app tier, therefore the audit process for the selected load balancer ends here:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
```
[
    {
        "Value": "Version",
        "Key": "Beta-1.2"
    }
]
```
If describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified AWS ELB is tagged as a app-tier resource, therefore the audit process continues with the next step:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
```
[
    {
        "Value": "<app_tier_tag_value>",
        "Key": "<app_tier_tag>"
    }
]
```

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the load balancer identified at the previous step as identifier to describe the ELB listeners configuration and determine if the selected app-tier load balancer has any SSL/TLS server certificates attached:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name cc-main-app-elb
	--query "LoadBalancerDescriptions[*].{ListenerDescriptions:ListenerDescriptions[?Listener.SSLCertificateId != null]}"

07 The command output should list the requested configuration metadata:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

[
    {
        "ListenerDescriptions": []
    }
]

If value of the "ListenerDescriptions" attribute is an empty array, as shown in the example above, the selected app-tier ELB does not have a listener configured with a SSL/TLS server certificate, therefore the front-end traffic between the application users and the load balancer is not encrypted.

08 Repeat step no. 6 and 7 to determine if other ELBs available in your app tier within the selected AWS region, have SSL/TLS server certificates attached.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the audit process for other regions.

Remediation / Resolution

To secure the traffic between your application users and the app-tier load balancer using SSL encryption, update your ELB configuration to attach an SSL/TLS server certificate. To attach an SSL/TLS (X.509) certificate to your ELB HTTPS/SSL listener, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the app-tier load balancer that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Listeners tab from the bottom panel and click the Edit button under the available listener(s).

06 Inside the Edit listeners dialog box, click Add to add a new listener.

07 In the Load Balancer Protocol dropdown list, select HTTPS (Secure HTTP) or SSL (Secure TCP).

08 In the SSL Certificate column, click Change and select one of the following options:

Choose a certificate from ACM (recommended) - to use an existing SSL/TLS certificate purchased via Amazon Certificate Manager (ACM). If you haven’t purchased yet any SSL/TLS certificates you can request one by clicking Request a new certificate from ACM link and AWS will redirect your request to the ACM service dashboard where you can buy the required certificate. Once the SSL/TLS certificate is selected from the Certificate dropdown list, click Save to apply the changes.
Choose a certificate from IAM - to use an existing SSL certificate uploaded previously to the Identity and Access Management (IAM) service using the AWS console. Select the name of the SSL/TLS certificate that you want install from the Certificate dropdown list. Click Save to apply the configuration changes.
Upload a certificate to IAM - deploy an SSL certificate purchased from a third-party provider by entering the required keys (PEM encoded) inside the Private Key, Certificate body and Certificate chain boxes, keys granted by the SSL provider from which you purchased the certificate. Ensure that you provide a unique name for the uploaded SSL/TLS certificate in the Certificate name box, then click Save to apply the changes.

09 Back to the Edit listeners dialog box, review the new listener configuration, then click Save. If successful, the following message will be displayed: “Finished updating listeners. Your listeners have been successfully updated.”. Click Close to return to the AWS dashboard.

10 Repeat steps no. 4 – 10 to attach an SSL/TLS server certificate to each app-tier ELB that needs to secure its front-end traffic, available in the selected region.

11 Change the AWS region from the navigation bar and repeat steps no. 4 – 11 for other regions.

Using AWS CLI

01 To attach an SSL/TLS (X.509) certificate to your app-tier ELB listener(s), you need to obtain first the certificate Amazon Resource Name (ARN). Depending on the AWS service used to manage your server certificates, perform one of the following actions:

Get the ARN of the certificate(s) purchased via Amazon Certificate Manager:
- Run list-certificates command (OSX/Linux/UNIX) to describe the ARN(s) and domain name(s) of the SSL/TLS certificate(s) purchased via AWS ACM:
  123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
```
aws acm list-certificates
	--region us-east-1
```
- The command output should return the requested information:
  123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
```
{
   "CertificateSummaryList": [
      {
       "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/11112222-1234-1234-1234-123456789012",
       "DomainName": "www.cloudconformity.com"
      }
   ]
}
```
Get the ARN of your SSL/TLS certificate(s) uploaded to AWS Identity and Access Management (IAM) service:
- Run list-server-certificates command (OSX/Linux/UNIX) to describe the metadata (ARN(s), name(s), upload date(s), etc), available for the server certificate(s) uploaded to AWS IAM:
  123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
```
aws iam list-server-certificates
```
- The command output should return the requested metadata:
  123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
```
{
    "ServerCertificateMetadataList": [
        {
            "ServerCertificateName": "cc-main-app-certificate",
            "Expiration": "2019-01-02T23:59:59Z",
            "Path": "/",
            "Arn": "arn:aws:iam::123456789012:server-certificate/cc-main-app-certificate",
            "UploadDate": "2018-01-04T12:21:18Z"
        }
    ]
}
```

02 Run create-load-balancer-listeners command (OSX/Linux/UNIX) to create a new HTTPS/SSL listener for the selected app-tier ELB and attach the SSL/TLS server certificate identified by its ARN, found at the previous step. The following command example will create an HTTPS listener for an app-tier ELB named "cc-main-app-elb" using an SSL/TLS certificate identified by the ARN "arn:aws:iam::123456789012:server-certificate/cc-main-app-certificate" (the command does not produce an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

aws elb create-load-balancer-listeners
	--region us-east-1
	--load-balancer-name cc-main-app-elb
	--listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=arn:aws:iam::123456789012:server-certificate/cc-main-app-certificate

03 Repeat step no. 2 to attach an SSL/TLS server certificate to each app-tier load balancer that needs to secure its front-end traffic, available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

References

AWS Command Line Interface (CLI) Documentation
elb
describe-load-balancers
describe-tags
create-load-balancer-listeners
acm
list-certificates
iam
list-server-certificates

Publication date Mar 9, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ELB rules