Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Add SSL/TLS Server Certificates to Web-Tier ELBs

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your web-tier Elastic Load Balancers (ELBs) are using SSL/TLS server certificates to encrypt the communication between the web application clients and the load balancer. When you use HTTPS/SSL (secure HTTP/TCP) for the ELB front-end listeners, you must deploy an SSL/TLS certificate on your load balancer. This SSL/TLS server certificate is used by the web-tier ELB to terminate the connection and decrypt requests from clients before sending them to the EC2 instances behind the load balancer (also known as backend instances). This conformity rule assumes that all AWS resources (including load balancers) provisioned in your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be specified on the Cloud Conformity dashboard, within the rule configuration settings.

Security

Attaching valid SSL/TLS certificates to load balancer HTTPS/SSL listeners will guarantee that the front-end traffic is encrypted over the SSL/TLS channel and the web client data is protected against eavesdropping and sniffing attacks.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.

Audit

To determine if your web-tier ELBs have SSL/TLS server certificates attached to HTTPS/SSL listeners, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Add SSL/TLS Server Certificates to Web-Tier ELBs conformity rule settings and copy the tags defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under LOAD BALANCING, click Load Balancers.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>) and press Enter. This filtering procedure will return only the load balancers tagged for the web tier. If no results are returned, there are no ELBs tagged within your web tier and the audit process ends here. If the EC2 dashboard lists one or more load balancers, continue the audit process with the next step.

06 Select the web-tier ELB that you want to examine.

07 Select the Listeners tab from the bottom panel.

08 Under Load Balancer Protocol column, check for any listeners with HTTPS (Secure HTTP) or SSL (Secure TCP) protocols. If there are no HTTPS/SSL listeners available, the selected web-tier ELB does not use any SSL/TLS server certificates to encrypt the front-end connection between the web clients and the load balancer.

09 Repeat steps no. 6 – 8 to determine if other ELBs created for your web tier in the selected AWS region, have SSL/TLS server certificates attached.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Add SSL/TLS Server Certificates to Web-Tier ELBs conformity rule settings and copy the tags defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs provisioned in the selected AWS region:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws elb describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested ELB names:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
-----------------------
|DescribeLoadBalancers|
+---------------------+
|  cc-mainsite-elb    |
|  cc-legacy-app-elb  |
+---------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the selected ELB resource (if any):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws elb describe-tags
	--region us-east-1
	--load-balancer-name cc-mainsite-elb
	--query 'TagDescriptions[*].Tags[]'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array, as shown in the example below, the verified ELB is not tagged, therefore the audit process for the selected resource ends here:
    123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
    []
  2. If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified ELB does not belong to your web tier, therefore the audit process for the selected load balancer ends here:
    123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
    [
    {
        "Value": "Env",
        "Key": "Development"
    }
]
  3. If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified Amazon ELB is tagged as a web-tier resource, therefore the audit process continues with the next step:
    123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
    [
    {
        "Value": "<web_tier_tag_value>",
        "Key": "<web_tier_tag>"
    }
]

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the load balancer identified at the previous step as identifier to describe the resource listeners configuration and determine if the selected web-tier ELB has any SSL/TLS server certificates attached:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name cc-mainsite-elb
	--query "LoadBalancerDescriptions[*].{ListenerDescriptions:ListenerDescriptions[?Listener.SSLCertificateId != null]}"

07 The command output should list the requested configuration metadata:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
    {
        "ListenerDescriptions": []
    }
]

If value of the "ListenerDescriptions" attribute is an empty array, as shown in the example above, the selected web-tier ELB does not have a listener configured with a SSL/TLS server certificate, therefore the front-end traffic between the clients and the load balancer is not encrypted.

08 Repeat step no. 6 and 7 to determine if other ELBs available within your web tier in the selected AWS region, have SSL/TLS server certificates attached.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To secure the traffic between the web clients and your web-tier load balancer using SSL encryption, update your ELB configuration to attach an SSL/TLS server certificate (an X.509 certificate is required). To attach an SSL/TLS certificate to your ELB HTTPS/SSL listener, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the web-tier load balancer that you want to reconfigure (see Audit section part I to identify the right ELB).

05 Select the Listeners tab from the bottom panel and click the Edit button under the available listener(s).

06 Inside the Edit listeners dialog box, click Add to add a new listener.

07 In the Load Balancer Protocol dropdown list, select HTTPS (Secure HTTP) or SSL (Secure TCP).

08 In the SSL Certificate column, click Change and select one of the following options:

  1. Choose a certificate from ACM (recommended) - to use an existing SSL/TLS certificate purchased via Amazon Certificate Manager (ACM). If you haven’t purchased yet any SSL/TLS certificates you can request one by clicking Request a new certificate from ACM link and AWS will redirect your request to the ACM service dashboard where you can buy the required certificate. Once the SSL/TLS certificate is selected from the Certificate dropdown list, click Save to apply the changes.
  2. Choose a certificate from IAM - to use an existing SSL certificate uploaded previously to the Identity and Access Management (IAM) service using the AWS console. Select the name of the SSL certificate that you want install from the Certificate dropdown list. Click Save to apply the configuration changes.
  3. Upload a certificate to IAM - deploy an SSL certificate purchased from a third-party provider by entering the required keys (PEM encoded) within the Private Key, Certificate body and Certificate chain boxes, keys granted by the SSL provider from which you bought the certificate. Make sure you provide a unique name for the uploaded SSL/TLS certificate in the Certificate name box, then click Save to apply the changes.

09 Back to the Edit listeners dialog box, review the new listener configuration, then click Save. If successful, the following message will be displayed: “Finished updating listeners. Your listeners have been successfully updated.”. Click Close to return to the EC2 dashboard.

10 Repeat steps no. 4 – 10 to attach an SSL/TLS server certificate to each web-tier ELB that needs to secure its front-end traffic, available in the selected region.

11 Change the AWS region from the navigation bar and repeat steps no. 4 – 11 for other regions.

Using AWS CLI

01 To attach an SSL/TLS certificate to your web-tier ELB listener(s), you need to obtain first the certificate ARN. Depending on the AWS service used to manage your server certificates, perform one of the following actions:

  1. Get the Amazon Resource Name (ARN) of the certificate(s) purchased via Amazon Certificate Manager:
    • Run list-certificates command (OSX/Linux/UNIX) to describe the ARN(s) and domain name(s) of the SSL/TLS certificate(s) purchased via AWS ACM:
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      aws acm list-certificates
	--region us-east-1
    • The command output should return the requested information:
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      {
   "CertificateSummaryList": [
      {
       "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/11223344-1234-1234-1234-123456789012",
       "DomainName": "www.cloudconformity.com"
      }
   ]
}
  2. Get the ARN of your SSL/TLS certificate(s) uploaded to AWS Identity and Access Management (IAM) service:
    • Run list-server-certificates command (OSX/Linux/UNIX) to describe the metadata (ARN(s), name(s), upload date(s), etc), available for the server certificate(s) uploaded to AWS IAM:
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      aws iam list-server-certificates
    • The command output should return the requested metadata:
      123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
      {
    "ServerCertificateMetadataList": [
        {
            "ServerCertificateName": "cc-mainsite-certificate",
            "Expiration": "2019-02-01T23:59:59Z",
            "Path": "/",
            "Arn": "arn:aws:iam::123456789012:server-certificate/cc-mainsite-certificate",
            "UploadDate": "2018-02-03T10:51:08Z"
        }
    ]
}

02 Run create-load-balancer-listeners command (OSX/Linux/UNIX) to create a new HTTPS/SSL listener for the selected web-tier ELB and attach the SSL/TLS server certificate identified by its ARN, identified at the previous step. The following command example will create an HTTPS listener for a web-tier ELB named "cc-mainsite-elb" using an SSL/TLS certificate identified by the ARN "arn:aws:iam::123456789012:server-certificate/cc-mainsite-certificate" (the command does not return an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws elb create-load-balancer-listeners
	--region us-east-1
	--load-balancer-name cc-mainsite-elb
	--listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=arn:aws:iam::123456789012:server-certificate/cc-mainsite-certificate

03 Repeat step no. 2 to attach an SSL/TLS server certificate to each web-tier load balancer that needs to secure its front-end traffic, available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

References

Publication date Mar 8, 2018

Related ELB rules