- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing
- ELB Listener Security
Ensure that your Amazon Classic Load Balancer listeners are using a secure protocol (HTTPS or SSL) in order to encrypt the communication between the clients and your load balancers.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When a Classic Load Balancer has no listener configured to use secure protocols like HTTPS or SSL, the front-end connection between the clients and the load balancer is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when transmitting sensitive, private data such as credit card numbers.
Audit
To check your Classic Load Balancer listeners for secure (HTTPS/SSL) configurations, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.
05 Select the Classic Load Balancer that you want to examine.
06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.
07 Check the protocol of each listener configured for the selected load balancer, available in the Load Balancer Protocol column. If there are no listeners with the HTTPS (Secure HTTP) or the SSL (Secure TCP) protocol, the listeners configuration defined for the selected Amazon Classic Load Balancer is not secure (i.e. the connection between the clients and the load balancer is not encrypted).
08 Repeat steps no. 7 – 9 for each Classic Load Balancer provisioned within the current AWS region.
09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region:
aws elb describe-load-balancers --region us-east-1 --query 'LoadBalancerDescriptions[*].LoadBalancerName'
02 The command output should return an array with the requested load balancer name(s):
[ "cc-project5-load-balancer", "cc-frontend-load-balancer" ]
03 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to examine as the identifier parameter, to determine if the selected load balancer is using secure listeners (HTTPS or SSL):
aws elb describe-load-balancers --region us-east-1 --load-balancer-name cc-project5-load-balancer --query "LoadBalancerDescriptions[*].{ListenerDescriptions:ListenerDescriptions[?Listener.Protocol == 'HTTPS' || Listener.Protocol == 'SSL']}"
04 The command output should list the HTTPS/SSL listeners configuration available for the selected load balancer:
[ { "ListenerDescriptions": [] } ]
If value of the "ListenerDescriptions" property is an empty array (i.e. []), as shown in the output example above, there are no HTTPS and/or SSL listeners configured for the verified load balancer, therefore the listeners configuration available for the selected Amazon Classic Load Balancer is not secure and the front-end traffic is not encrypted.
05 Repeat steps no. 3 and 4 for each Classic Load Balancer provisioned in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To secure the connection between the clients and the Classic Load Balancer by using SSL encryption, update your load balancer configuration to use listeners with HTTPS or SSL protocols. To implement HTTPS/SSL protocol for your load balancer listeners, perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Use HTTPS Listener for Classic Load Balancer",
"Resources": {
"ClassicLoadBalancer": {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"LoadBalancerName" : "cc-frontend-load-balancer",
"Scheme" : "internet-facing",
"SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
"Subnets" : [ "subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234" ],
"Instances" : [ "i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd" ],
"HealthCheck": {
"Target": "HTTP:80/index.html",
"HealthyThreshold": "10",
"UnhealthyThreshold": "2",
"Interval": "50",
"Timeout": "5"
},
"Listeners": [{
"InstancePort": "80",
"InstanceProtocol": "HTTP",
"LoadBalancerPort": "443",
"Protocol": "HTTPS",
"PolicyNames": [ "cc-secure-negotiation-policy" ],
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/cc-production-certificate"
}]
,
"Policies": [{
"PolicyName": "cc-secure-negotiation-policy",
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [{
"Name": "Reference-Security-Policy",
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
}]
}]
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Use HTTPS Listener for Classic Load Balancer
Resources:
ClassicLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
LoadBalancerName: cc-frontend-load-balancer
Scheme: internet-facing
SecurityGroups:
- sg-0abcdabcdabcdabcd
Subnets:
- subnet-0abcd1234abcd1234
- subnet-0abcdabcdabcdabcd
- subnet-01234abcd1234abcd
- subnet-01234123412341234
Instances:
- i-0abcd1234abcd1234
- i-0abcdabcdabcdabcd
HealthCheck:
Target: HTTP:80/index.html
HealthyThreshold: '10'
UnhealthyThreshold: '2'
Interval: '50'
Timeout: '5'
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '443'
Protocol: HTTPS
PolicyNames:
- cc-secure-negotiation-policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/cc-production-certificate
Policies:
- PolicyName: cc-secure-negotiation-policy
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Reference-Security-Policy
Value: ELBSecurityPolicy-TLS-1-2-2017-01
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_elb" "classic-load-balancer" {
name = "cc-frontend-load-balancer"
internal = false
security_groups = ["sg-0abcdabcdabcdabcd"]
subnets = ["subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234"]
instances = ["i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd"]
health_check {
healthy_threshold = 10
unhealthy_threshold = 2
timeout = 5
target = "HTTP:80/index.html"
interval = 50
}
# Use HTTPS Listener for Classic Load Balancer
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 443
lb_protocol = "https"
ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/cc-production-certificate"
}
}
resource "aws_load_balancer_policy" "cc-ssl-negotiation-policy" {
load_balancer_name = aws_elb.classic-load-balancer.name
policy_name = "cc-secure-negotiation-policy"
policy_type_name = "SSLNegotiationPolicyType"
policy_attribute {
name = "Reference-Security-Policy"
value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
}
resource "aws_load_balancer_listener_policy" "cc-https-listener-policy" {
load_balancer_name = aws_elb.classic-load-balancer.name
load_balancer_port = 443
policy_names = [
aws_load_balancer_policy.cc-ssl-negotiation-policy.policy_name
]
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.
05 Select the Classic Load Balancer that you want to reconfigure.
06 Select the Listeners tab from the console bottom panel and choose Edit to update the listeners configuration.
07 Inside the Edit listeners configuration box, perform the following operations:
- Choose Add to create a new listener.
- Select HTTPS (Secure HTTP) or SSL (Secure TCP) from the Load Balancer Protocol dropdown list.
- In the Cipher column, choose Change, select the Predefined Security Policy option, and choose the latest security policy available in the policy dropdown list (e.g. ELBSecurityPolicy-TLS-1-2-2017-01). If you want to use a custom policy, select Custom Security Policy and configure your own TLS/SSL policy. Choose Save to apply the changes.
- In the SSL Certificate column, select Change, and choose one of the following options:
- Select Choose a certificate from ACM (recommended) and select an existing SSL certificate purchased via Amazon Certificate Manager (ACM) from the Certificate dropdown list. If you haven’t purchased one yet, choose Request a new certificate from ACM and the AWS Management Console will redirect your request to the ACM service console where you can buy the required SSL/TLS certificate. Choose Save to apply the changes.
- Select Choose a certificate from IAM and select an existing SSL/TLS certificate uploaded previously to Amazon IAM from the Certificate dropdown list. Choose Save to apply the changes.
- Select Upload a certificate to IAM to deploy an existing SSL certificate by pasting the required information (in PEM-encoded format) to the Private key, Certificate body and Certificate chain (optional) boxes, information granted by the SSL provider from which you bought the certificate. Once the necessary keys are validated, enter a name for the new certificate in the Certificate name box. Choose Save to apply the changes.
08 Back to the Edit listeners box, review the configuration for the secure listener, then choose click Save to deploy the new listener. If successful, the following confirmation message should be displayed: "Finished updating listeners. Your listeners have been successfully updated.". Choose Close to return to the Amazon EC2 console.
09 Repeat steps no. 5 – 8 for each Classic Load Balancer that you want to reconfigure, available within the current AWS region.
10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Depending on the AWS cloud service used to manage your TLS/SSL certificates, perform one of the following actions:
- Get the Amazon Resource Name (ARN) of the SSL certificate purchased via Amazon ACM. The certificate ARN will be required during HTTPS/SSL listener configuration:
- Run list-certificates command (OSX/Linux/UNIX) to describe the ARN(s) and domain name(s) of the SSL certificate(s) purchased with Amazon ACM:
aws acm list-certificates --region us-east-1
- The command output should return the requested information:
{ "CertificateSummaryList": [ { "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012", "DomainName": "www.domain.com" } ] }
- Run list-certificates command (OSX/Linux/UNIX) to describe the ARN(s) and domain name(s) of the SSL certificate(s) purchased with Amazon ACM:
- Get the ARN of your SSL certificate(s) uploaded to Amazon IAM:
- Run list-server-certificates command (OSX/Linux/UNIX) to describe the metadata (certificate ARN(s), name(s), etc.), available for the SSL certificate(s) uploaded to Amazon IAM:
aws iam list-server-certificates
- The command output should return the requested metadata:
{ "ServerCertificateMetadataList": [ { "ServerCertificateName": "cc-production-certificate", "Expiration": "2022-06-07T23:59:59Z", "Path": "/", "Arn": "arn:aws:iam::123456789012:server-certificate/cc-production-certificate", "UploadDate": "2021-06-07T23:59:59Z" } ] }
- Run list-server-certificates command (OSX/Linux/UNIX) to describe the metadata (certificate ARN(s), name(s), etc.), available for the SSL certificate(s) uploaded to Amazon IAM:
02 Run create-load-balancer-listeners command (OSX/Linux/UNIX) to create a secure HTTPS listener for your Classic Load Balancer using the SSL certificate identified at the previous step. The following command example creates a front-end HTTPS listener for a load balancer named "cc-project5-load-balancer" using an SSL certificate identified by the ARN "arn:aws:iam::123456789012:server-certificate/cc-production-certificate" (the command does not produce an output):
aws elb create-load-balancer-listeners --region us-east-1 --load-balancer-name cc-project5-load-balancer --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=arn:aws:iam::123456789012:server-certificate/cc-production-certificate
03 Repeat step no. 2 for each Classic Load Balancer that you want to reconfigure, available in the selected AWS region.
04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- What Is Elastic Load Balancing?
- Listeners for your Classic Load Balancer
- Configure an HTTPS listener for your Classic Load Balancer
- Update the SSL negotiation configuration of your Classic Load Balancer
- AWS Command Line Interface (CLI) Documentation
- elb
- describe-load-balancers
- describe-tags
- create-load-balancer-listeners
- list-certificates
- list-server-certificates
- CloudFormation Documentation
- AWS::ElasticLoadBalancing::LoadBalancer
- Terraform Documentation
- AWS Provider