Add SSL/TLS Server Certificates to Web-Tier ELBs

01 Sign in to your Cloud Conformity console, access Add SSL/TLS Server Certificates to Web-Tier ELBs conformity rule settings and copy the tags defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under LOAD BALANCING, click Load Balancers.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>) and press Enter. This filtering procedure will return only the load balancers tagged for the web tier. If no results are returned, there are no ELBs tagged within your web tier and the audit process ends here. If the EC2 dashboard lists one or more load balancers, continue the audit process with the next step.

06 Select the web-tier ELB that you want to examine.

07 Select the Listeners tab from the bottom panel.

08 Under Load Balancer Protocol column, check for any listeners with HTTPS (Secure HTTP) or SSL (Secure TCP) protocols. If there are no HTTPS/SSL listeners available, the selected web-tier ELB does not use any SSL/TLS server certificates to encrypt the front-end connection between the web clients and the load balancer.

09 Repeat steps no. 6 – 8 to determine if other ELBs created for your web tier in the selected AWS region, have SSL/TLS server certificates attached.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

01 Sign in to your Cloud Conformity console, access Add SSL/TLS Server Certificates to Web-Tier ELBs conformity rule settings and copy the tags defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs provisioned in the selected AWS region:

aws elb describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested ELB names:

-----------------------
|DescribeLoadBalancers|
+---------------------+
|  cc-mainsite-elb    |
|  cc-legacy-app-elb  |
+---------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the selected ELB resource (if any):

aws elb describe-tags
	--region us-east-1
	--load-balancer-name cc-mainsite-elb
	--query 'TagDescriptions[*].Tags[]'

05 The command request should return one of the following outputs:

1. If the describe-tags command output returns an empty array, as shown in the example below, the verified ELB is not tagged, therefore the audit process for the selected resource ends here:
   []
   

2. If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified ELB does not belong to your web tier, therefore the audit process for the selected load balancer ends here:
   [
       {
           "Value": "Env",
           "Key": "Development"
       }
   ]
   

3. If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified Amazon ELB is tagged as a web-tier resource, therefore the audit process continues with the next step:
   [
       {
           "Value": "<web_tier_tag_value>",
           "Key": "<web_tier_tag>"
       }
   ]
   

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the load balancer identified at the previous step as identifier to describe the resource listeners configuration and determine if the selected web-tier ELB has any SSL/TLS server certificates attached:

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name cc-mainsite-elb
	--query "LoadBalancerDescriptions[*].{ListenerDescriptions:ListenerDescriptions[?Listener.SSLCertificateId != null]}"

07 The command output should list the requested configuration metadata:

[
    {
        "ListenerDescriptions": []
    }
]

08 Repeat step no. 6 and 7 to determine if other ELBs available within your web tier in the selected AWS region, have SSL/TLS server certificates attached.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the entire audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the web-tier load balancer that you want to reconfigure (see Audit section part I to identify the right ELB).

05 Select the Listeners tab from the bottom panel and click the Edit button under the available listener(s).

06 Inside the Edit listeners dialog box, click Add to add a new listener.

07 In the Load Balancer Protocol dropdown list, select HTTPS (Secure HTTP) or SSL (Secure TCP).

08 In the SSL Certificate column, click Change and select one of the following options:

1. Choose a certificate from ACM (recommended) - to use an existing SSL/TLS certificate purchased via Amazon Certificate Manager (ACM). If you haven’t purchased yet any SSL/TLS certificates you can request one by clicking Request a new certificate from ACM link and AWS will redirect your request to the ACM service dashboard where you can buy the required certificate. Once the SSL/TLS certificate is selected from the Certificate dropdown list, click Save to apply the changes.
2. Choose a certificate from IAM - to use an existing SSL certificate uploaded previously to the Identity and Access Management (IAM) service using the AWS console. Select the name of the SSL certificate that you want install from the Certificate dropdown list. Click Save to apply the configuration changes.
3. Upload a certificate to IAM - deploy an SSL certificate purchased from a third-party provider by entering the required keys (PEM encoded) within the Private Key, Certificate body and Certificate chain boxes, keys granted by the SSL provider from which you bought the certificate. Make sure you provide a unique name for the uploaded SSL/TLS certificate in the Certificate name box, then click Save to apply the changes.

09 Back to the Edit listeners dialog box, review the new listener configuration, then click Save. If successful, the following message will be displayed: “Finished updating listeners. Your listeners have been successfully updated.”. Click Close to return to the EC2 dashboard.

10 Repeat steps no. 4 – 10 to attach an SSL/TLS server certificate to each web-tier ELB that needs to secure its front-end traffic, available in the selected region.

11 Change the AWS region from the navigation bar and repeat steps no. 4 – 11 for other regions.

01 To attach an SSL/TLS certificate to your web-tier ELB listener(s), you need to obtain first the certificate ARN. Depending on the AWS service used to manage your server certificates, perform one of the following actions:

1. Get the Amazon Resource Name (ARN) of the certificate(s) purchased via Amazon Certificate Manager:
   • Run list-certificates command (OSX/Linux/UNIX) to describe the ARN(s) and domain name(s) of the SSL/TLS certificate(s) purchased via AWS ACM:
     aws acm list-certificates
     	--region us-east-1
     

   • The command output should return the requested information:
     {
        "CertificateSummaryList": [
           {
            "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/11223344-1234-1234-1234-123456789012",
            "DomainName": "www.cloudconformity.com"
           }
        ]
     }
     

2. Get the ARN of your SSL/TLS certificate(s) uploaded to AWS Identity and Access Management (IAM) service:
   • Run list-server-certificates command (OSX/Linux/UNIX) to describe the metadata (ARN(s), name(s), upload date(s), etc), available for the server certificate(s) uploaded to AWS IAM:
     aws iam list-server-certificates
     

   • The command output should return the requested metadata:
     {
         "ServerCertificateMetadataList": [
             {
                 "ServerCertificateName": "cc-mainsite-certificate",
                 "Expiration": "2019-02-01T23:59:59Z",
                 "Path": "/",
                 "Arn": "arn:aws:iam::123456789012:server-certificate/cc-mainsite-certificate",
                 "UploadDate": "2018-02-03T10:51:08Z"
             }
         ]
     }
     

02 Run create-load-balancer-listeners command (OSX/Linux/UNIX) to create a new HTTPS/SSL listener for the selected web-tier ELB and attach the SSL/TLS server certificate identified by its ARN, identified at the previous step. The following command example will create an HTTPS listener for a web-tier ELB named "cc-mainsite-elb" using an SSL/TLS certificate identified by the ARN "arn:aws:iam::123456789012:server-certificate/cc-mainsite-certificate" (the command does not return an output):

aws elb create-load-balancer-listeners
	--region us-east-1
	--load-balancer-name cc-mainsite-elb
	--listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=arn:aws:iam::123456789012:server-certificate/cc-mainsite-certificate

03 Repeat step no. 2 to attach an SSL/TLS server certificate to each web-tier load balancer that needs to secure its front-end traffic, available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.