Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Web-Tier ELB Listener Security

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ELB-017

Ensure that your web-tier Amazon Classic Load Balancer listeners are using a secure protocol such as HTTPS or SSL to encrypt the communication between the clients and the load balancers. This conformity rule assumes that all the AWS cloud resources created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the web-tier tags must be configured in the rule settings, on your Conformity account console.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When a web-tier Classic Load Balancer has no listener configured to use secure protocols like HTTPS or SSL, the front-end connection between the application clients and the load balancer is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when the web application behind the load balancer is working with sensitive data such as health and personal records, credentials, and credit card numbers. Using a secure listener for the Classic Load Balancer within your web tier will ensure that the front-end traffic is encrypted over the SSL/TLS channel and the web client data is secured.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the web tier.

Audit

To check your web-tier Classic Load Balancer listeners for secure (HTTPS/SSL) configurations, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Enable HTTPS/SSL Listener for Web-Tier Load Balancers conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

04 In the main navigation panel, under Load Balancing, choose Load Balancers.

05 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

06 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>), then press Enter. This filtering technique will return only the load balancers tagged for the web tier. If no results are returned by the console, there are no Classic Load Balancers tagged within your web tier and the Audit process ends here. If the Amazon EC2 console returns one or more load balancers, continue the Audit with the next step.

07 Select the web-tier Classic Load Balancer that you want to examine.

08 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

09 Check the protocol of each listener configured for the selected load balancer, available in the Load Balancer Protocol column. If there are no listeners with the HTTPS (Secure HTTP) or the SSL (Secure TCP) protocol, the listeners configuration available for the selected web-tier Classic Load Balancer is not secure and the front-end connection between the clients and the load balancer is not encrypted.

10 Repeat steps no. 7 – 9 for each web-tier Classic Load Balancer provisioned within the current AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Enable HTTPS/SSL Listener for Web-Tier Load Balancers conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region: 

aws elb describe-load-balancers
  --region us-east-1
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return an array with the requested load balancer name(s): 

[
  "cc-frontend-load-balancer",
  "cc-project5-load-balancer"
]

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the tag sets defined for the selected load balancer: 

aws elb describe-tags
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --query 'TagDescriptions[*].Tags[]'

05 The describe-tags command request should return one of the following outputs:

  1. If the command output returns an empty array (i.e. []), as shown in the example below, the verified Classic Load Balancer is not tagged at all, therefore the Audit process for the selected resource ends here: 
    []
  2. If the describe-tags command output returns a tag set that is different from the one defined for your web/app/data tier, as shown in the example below, the verified load balancer is not a component of the web/app/data tier, therefore the Audit process for the selected resource ends here: 
    [
  {
    "Value": "Environment",
    "Key": "Production"
  }
]
  3. If the tag set returned by the describe-tags command output reveals that the selected load balancer is a component of a web tier, as shown in the example below, the Audit process continues with the next step: 
    [
  {
    "Key": "<web_tier_tag>",
    "Value": "<web_tier_tag_value>"
  }
]

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the web-tier load balancer that you want to examine as the identifier parameter, to determine if the selected load balancer is using secure listeners (HTTPS or SSL): 

aws elb describe-load-balancers
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --query "LoadBalancerDescriptions[*].{ListenerDescriptions:ListenerDescriptions[?Listener.Protocol == 'HTTPS' || Listener.Protocol == 'SSL']}"

07 The command output should list the HTTPS/SSL listeners configuration available for the selected load balancer: 

[
  {
    "ListenerDescriptions": []
  }
]

If value of the "ListenerDescriptions" property is an empty array, as shown in the output example above, there are no HTTPS and/or SSL listeners configured for the verified load balancer, therefore the listeners configuration available for the selected web-tier Classic Load Balancer is not secure and the front-end traffic is not encrypted.

08 Repeat steps no. 6 and 7 for each web-tier Classic Load Balancer provisioned in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To secure the connection between the clients and the web-tier load balancer by using SSL encryption, update your Classic Load Balancer configuration to use listeners with HTTPS or SSL protocols (an X.509 SSL certificate is required). To implement HTTPS/SSL protocol for your web-tier load balancer listeners, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Use HTTPS Listener for Web-Tier Classic Load Balancer",
  "Resources": {
    "ClassicLoadBalancer": {
      "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties" : {
        "LoadBalancerName" : "cc-frontend-load-balancer",
        "Scheme" : "internet-facing",
        "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
        "Subnets" : [ "subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234" ],
        "Instances" : [ "i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd" ],
        "HealthCheck": {
            "Target": "HTTP:80/index.html",
            "HealthyThreshold": "10",
            "UnhealthyThreshold": "2",
            "Interval": "50",
            "Timeout": "5"
        },
        "Listeners": [{
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [ "cc-secure-negotiation-policy" ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/cc-production-certificate"
        }],
        "Policies": [{
            "PolicyName": "cc-secure-negotiation-policy",
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [{
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
            }]
        }],
        "Tags" : [{
           "Key" : "<web_tier_tag>",
           "Value" : "<web_tier_tag_value>"
        }]
      }
    }
  }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Use HTTPS Listener for Web-Tier Classic Load Balancer
Resources:
  ClassicLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      LoadBalancerName: cc-frontend-load-balancer
      Scheme: internet-facing
      SecurityGroups:
        - sg-0abcdabcdabcdabcd
      Subnets:
        - subnet-0abcd1234abcd1234
        - subnet-0abcdabcdabcdabcd
        - subnet-01234abcd1234abcd
        - subnet-01234123412341234
      Instances:
        - i-0abcd1234abcd1234
        - i-0abcdabcdabcdabcd
      HealthCheck:
        Target: HTTP:80/index.html
        HealthyThreshold: '10'
        UnhealthyThreshold: '2'
        Interval: '50'
        Timeout: '5'
      Listeners:
        - InstancePort: '80'
          InstanceProtocol: HTTP
          LoadBalancerPort: '443'
          Protocol: HTTPS
          PolicyNames:
            - cc-secure-negotiation-policy
          SSLCertificateId: arn:aws:iam::123456789012:server-certificate/cc-production-certificate
      Policies:
        - PolicyName: cc-secure-negotiation-policy
          PolicyType: SSLNegotiationPolicyType
          Attributes:
            - Name: Reference-Security-Policy
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
      Tags:
        - Key: <web_tier_tag>
          Value: <web_tier_tag_value>

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_elb" "classic-load-balancer" {
  name               = "cc-frontend-load-balancer"
  internal           = false
  security_groups    = ["sg-0abcdabcdabcdabcd"]
  subnets            = ["subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234"]
  instances          = ["i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd"]

  health_check {
    healthy_threshold   = 10
    unhealthy_threshold = 2
    timeout             = 5
    target              = "HTTP:80/index.html"
    interval            = 50
  }

  # Use HTTPS Listener for Web-Tier Classic Load Balancer
  listener {
    instance_port      = 80
    instance_protocol  = "http"
    lb_port            = 443
    lb_protocol        = "https"
    ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/cc-production-certificate"
  }

  tags = {
      Name = "<web_tier_tag>"
      Value = "<web_tier_tag_value>"
  }

}

resource "aws_load_balancer_policy" "cc-ssl-negotiation-policy" {
  load_balancer_name = aws_elb.classic-load-balancer.name
  policy_name        = "cc-secure-negotiation-policy"
  policy_type_name   = "SSLNegotiationPolicyType"
  policy_attribute {
    name  = "Reference-Security-Policy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
  }
}

resource "aws_load_balancer_listener_policy" "cc-https-listener-policy" {
  load_balancer_name = aws_elb.classic-load-balancer.name
  load_balancer_port = 443
  policy_names = [
    aws_load_balancer_policy.cc-ssl-negotiation-policy.policy_name
  ]
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the web-tier Classic Load Balancer that you want to reconfigure.

06 Select the Listeners tab from the console bottom panel and choose Edit to update the listeners configuration.

07 Inside the Edit listeners configuration box, perform the following operations:

  1. Choose Add to create a new listener.
  2. Select HTTPS (Secure HTTP) or SSL (Secure TCP) from the Load Balancer Protocol dropdown list.
  3. In the Cipher column, choose Change, select the Predefined Security Policy option, and choose the latest security policy available in the policy dropdown list (e.g. ELBSecurityPolicy-TLS-1-2-2017-01). If you want to use a custom policy, select Custom Security Policy and configure your own TLS/SSL policy. Choose Save to apply the changes.
  4. In the SSL Certificate column, select Change, and choose one of the following options:
    • Select Choose a certificate from ACM (recommended) and select an existing SSL certificate purchased via Amazon Certificate Manager (ACM) from the Certificate dropdown list. If you haven’t purchased one yet, choose Request a new certificate from ACM and the AWS Management Console will redirect your request to the ACM service console where you can buy the required SSL/TLS certificate. Choose Save to apply the changes.
    • Select Choose a certificate from IAM and select an existing SSL/TLS certificate uploaded previously to Amazon IAM from the Certificate dropdown list. Choose Save to apply the changes.
    • Select Upload a certificate to IAM to deploy an existing SSL certificate by pasting the required information (in PEM-encoded format) to the Private key, Certificate body and Certificate chain (optional) boxes, information granted by the SSL provider from which you bought the certificate. Once the necessary keys are validated, enter a name for the new certificate in the Certificate name box. Choose Save to apply the changes.

08 Back to the Edit listeners box, review the configuration for the secure listener, then choose click Save to deploy the new listener. If successful, the following confirmation message should be displayed: "Finished updating listeners. Your listeners have been successfully updated.". Choose Close to return to the Amazon EC2 console.

09 Repeat steps no. 5 – 8 for each web-tier Classic Load Balancer that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Depending on the AWS cloud service used to manage your TLS/SSL certificates, perform one of the following actions

  1. Get the Amazon Resource Name (ARN) of the SSL certificate purchased via Amazon ACM. The certificate ARN will be required during HTTPS/SSL listener configuration:
    • Run list-certificates command (OSX/Linux/UNIX) to describe the ARN(s) and domain name(s) of the SSL certificate(s) purchased with Amazon ACM: 
      aws acm list-certificates
	--region us-east-1
    • The command output should return the requested information: 
      {
  "CertificateSummaryList": [
     {
      "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
      "DomainName": "www.domain.com"
     }
  ]
}
  2. Get the ARN of your SSL certificate(s) uploaded to Amazon IAM:
    • Run list-server-certificates command (OSX/Linux/UNIX) to describe the metadata (certificate ARN(s), name(s), etc.), available for the SSL certificate(s) uploaded to Amazon IAM: 
      aws iam list-server-certificates
    • The command output should return the requested metadata: 
      {
  "ServerCertificateMetadataList": [
    {
      "ServerCertificateName": "cc-production-certificate",
      "Expiration": "2022-06-07T23:59:59Z",
      "Path": "/",
      "Arn": "arn:aws:iam::123456789012:server-certificate/cc-production-certificate",
      "UploadDate": "2021-06-07T23:59:59Z"
    }
  ]
}

02 Run create-load-balancer-listeners command (OSX/Linux/UNIX) to create a new, secure HTTPS listener for your web-tier load balancer using the SSL certificate identified at the previous step. The following command example creates a front-end HTTPS listener for a web-tier load balancer named "cc-frontend-load-balancer" using an SSL certificate identified by the ARN "arn:aws:iam::123456789012:server-certificate/cc-production-certificate" (the command does not produce an output): 

aws elb create-load-balancer-listeners
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=arn:aws:iam::123456789012:server-certificate/cc-production-certificate

03 Repeat step no. 2 for each web-tier Classic Load Balancer that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date May 8, 2018

Related ELB rules