- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing V2
- Enable HTTP to HTTPS Redirect for Application Load Balancers
Ensure that your Amazon Application Load Balancers (ALBs) are configured to redirect HTTP traffic to HTTPS in order to follow cloud security best practices and meet compliance requirements.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Redirecting HTTP traffic to HTTPS within your load balancer listeners' configuration simplifies deployments while benefiting from the scale, the availability, and the reliability of the Amazon Elastic Load Balancing service. The Application Load Balancer's capability to redirect HTTP requests to HTTPS allows you to meet your compliance goal of secure browsing and achieve better search ranking and high SSL/TLS score for your websites/web applications.
Audit
To determine if your Application Load Balancers (ALBs) are configured to redirect HTTP traffic to HTTPS, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.
05 Select the Application Load Balancer (ALB) that you want to examine.
06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.
07 Choose the HTTP : <port> listener and check the listener rule(s) listed in the Rules column. If the HTTP : <port> listener does not have a rule that contains the "redirecting to HTTPS://#{host}:<port>/#{path}?#{query}" action, the selected Amazon Application Load Balancer (ALB) is not configured to redirect HTTP traffic to HTTPS.
08 Repeat steps no. 5 – 7 for each Application Load Balancer available within the current AWS region.
09 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Application Load Balancer available in the selected AWS region:
aws elbv2 describe-load-balancers --region us-east-1 --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn'
02 The command output should return an array with the requested load balancer ARN(s):
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd", "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-load-balancer/aaaabbbbccccdddd" ]
03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to examine as identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the HTTP listener configured for the selected load balancer:
aws elbv2 describe-listeners --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd --query 'Listeners[?(Protocol == `HTTP`)].ListenerArn'
04 The command output should return the ARN of the requested HTTP listener:
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-load-balancer/abcdabcdabcdabcd/abcd1234abcd1234" ]
05 To redirect HTTP traffic to HTTPS, the HTTP listener must have a rule that contains the following redirect action:
[ { "Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Host": "#{host}", "Query": "#{query}", "Path": "/#{path}", "Port": "<port>", "StatusCode": "HTTP_301" } } ]
06 Run describe-rules command (OSX/Linux/UNIX) using the ARN of the HTTP listener returned at step no. 4 as the identifier parameter, to describe the rule(s) actions defined for the HTTP listener:
aws elbv2 describe-rules --region us-east-1 --listener-arn "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-load-balancer/abcdabcdabcdabcd/abcd1234abcd1234" --query 'Rules[*].Actions | []'
07 The command output should return the rule(s) actions configured for the requested listener:
[ { "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-frontend-target-group/1234abcd1234abcd", "Type": "forward", "ForwardConfig": { "TargetGroupStickinessConfig": { "Enabled": false }, "TargetGroups": [ { "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-frontend-target-group/1234abcd1234abcd", "Weight": 1 } ] } } ]
If the describe-rules command output does not contain a redirect action like the one listed at step no. 5, the selected Amazon Application Load Balancer (ALB) is not configured to redirect HTTP traffic to HTTPS.
08 Repeat steps no. 3 – 7 for each Application Load Balancer deployed in the selected AWS region.
09 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.
Remediation / Resolution
To configure your Amazon Application Load Balancers (ALBs) in order to redirect HTTP traffic to HTTPS, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Configure HTTP to HTTPS Redirect for Application Load Balancer",
"Resources": {
"ApplicationLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {
"Name" : "cc-internet-facing-load-balancer",
"Type" : "application",
"Scheme" : "internet-facing",
"IpAddressType" : "ipv4",
"SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
"Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
}
},
"HTTPListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"Protocol": "HTTP",
"Port": 80,
"DefaultActions": [
{
"Type": "redirect",
"RedirectConfig": {
"Protocol": "HTTPS",
"Port": 443,
"Host": "#{host}",
"Path": "/#{path}",
"Query": "#{query}",
"StatusCode": "HTTP_301"
}
}
],
"LoadBalancerArn": {
"Ref": "ApplicationLoadBalancer"
}
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Configure HTTP to HTTPS Redirect for Application Load Balancer
Resources:
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: cc-internet-facing-load-balancer
Type: application
Scheme: internet-facing
IpAddressType: ipv4
SecurityGroups:
- sg-0abcdabcdabcdabcd
Subnets:
- subnet-01234abcd1234abcd
- subnet-0abcd1234abcd1234
HTTPListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
Protocol: HTTP
Port: 80
DefaultActions:
- Type: redirect
RedirectConfig:
Protocol: HTTPS
Port: 443
Host: '#{host}'
Path: /#{path}
Query: '#{query}'
StatusCode: HTTP_301
LoadBalancerArn: !Ref 'ApplicationLoadBalancer'
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_lb" "application-load-balancer" {
name = "cc-internet-facing-load-balancer"
load_balancer_type = "application"
internal = false
ip_address_type = "ipv4"
security_groups = ["sg-0abcdabcdabcdabcd"]
subnets = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}
resource "aws_lb_listener" "http-listener" {
load_balancer_arn = aws_lb.application-load-balancer.arn
protocol = "HTTP"
port = "80"
# Configure HTTP to HTTPS Redirect for Application Load Balancer
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list all the Application Load Balancers available in the current AWS region.
05 Select the Application Load Balancer (ALB) that you want to reconfigure.
06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.
07 Click on the View/edit rules link available in the Rules column for the HTTP : <port> listener.
08 On the Rules page, perform the following actions:
- Choose Edit rules tab, and click on the edit rule button (pencil icon) to modify the existing default rule in order to redirect all HTTP requests to HTTPS.
- In the Edit Rule mode, under THEN, delete the existing condition.
- Choose + Add action to add the new condition with the Redirect to… action.
- In the Redirect to… configuration box, enter 443 (or the custom port that you want to use) for the HTTPS port and keep the defaults for the remaining options.
- Click on the checkmark icon to save the configuration changes.
- Choose Update to apply the changes to the selected listener rule.
09 Navigate back to the Listeners panel and choose Add listener to create an HTTPS listener. If you already have an HTTPS listener with a rule that forwards requests to the load balancer target group, skip to step no. 11.
10 On the Listeners setup page, perform the following actions:
- For Protocol: port, choose HTTPS. The default port (i.e. 443) will be configured. You can also use a custom port for HTTPS. The custom port must match the one configured at step no. 8.d.
- For Default actions, choose Add action, and select Forward.
- Select the name of the target group that hosts the application instances from the Target group dropdown list.
- Select the latest predefined security policy that's best suited for your configuration, from the Security policy dropdown list.
- Choose the required SSL certificate from the Default SSL certificate dropdown list. If you don't have one yet, request new ACM certificate.
- Choose Add listener to add the save the new HTTPS listener.
11 To ensure that the security group associated with your Application Load Balancer allows traffic on TCP port 443, perform the following actions:
- Select the Application Load Balancer that you want to reconfigure.
- Select the Description tab to access the load balancer configuration information.
- In the Security section, click on the ID (link) of the security group attached to your load balancer.
- On the selected security group page, choose the Inbound tab, and verify all the TCP inbound rules. The selected security group must have an inbound rule that allows traffic for both HTTP and HTTPS. If there are no HTTPS inbound rules, perform the following actions to create one:
- Choose Edit to modify the inbound rules configuration.
- Choose Add rule to create a new inbound rule.
- For Type, select HTTPS.
- For Source, select Anywhere.
- Choose Save to save the changes.
12 Repeat steps no. 5 – 11 to configure HTTP to HTTPS redirection for other Application Load Balancers (ALBs) available within the current AWS region.
13 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Define the HTTP listener rule configuration that redirects HTTP traffic to HTTPS for your Application Load Balancer (ALB). Save the configuration document to a JSON file named cc-redirect-config.json:
[ { "Type": "redirect", "Order": 1, "RedirectConfig": { "Protocol": "HTTPS", "Host": "#{host}", "Query": "#{query}", "Path": "/#{path}", "Port": "443", "StatusCode": "HTTP_301" } } ]
02 Run modify-listener command (OSX/Linux/UNIX) to modify the default rule configuration for the specified HTTP listener, using the configuration document defined at the previous step:
aws elbv2 modify-listener --region us-east-1 --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-load-balancer/abcdabcdabcdabcd/abcd1234abcd1234 --default-actions file://cc-redirect-config.json
03 The command output should return the configuration metadata of the modified listener:
{ "Listeners": [ { "Protocol": "HTTP", "DefaultActions": [ { "RedirectConfig": { "Protocol": "HTTPS", "Host": "#{host}", "Query": "#{query}", "Path": "/#{path}", "Port": "443", "StatusCode": "HTTP_301" }, "Type": "redirect", "Order": 1 } ], "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd", "Port": 80, "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-load-balancer/abcdabcdabcdabcd/abcd1234abcd1234" } ] }
04 Run create-listener command (OSX/Linux/UNIX) to create a new HTTPS listener for the selected Amazon Application Load Balancer (ALB). If you already have an HTTPS listener with a rule that forwards requests to the load balancer target group, skip to step no. 6:
aws elbv2 create-listener --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd --protocol HTTPS --port 443 --certificates CertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234 --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-frontend-target-group/1234abcd1234abcd
05 The command output should return the metadata available for the new HTTPS listener:
{ "Listeners": [ { "Protocol": "HTTPS", "DefaultActions": [ { "ForwardConfig": { "TargetGroupStickinessConfig": { "Enabled": false }, "TargetGroups": [ { "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-frontend-target-group/1234abcd1234abcd", "Weight": 1 } ] }, "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-frontend-target-group/1234abcd1234abcd", "Type": "forward" } ], "SslPolicy": "ELBSecurityPolicy-TLS-1-2-2017-01", "Certificates": [ { "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234" } ], "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd", "Port": 443, "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-load-balancer/abcdabcdabcdabcd/1234abcd1234abcd" } ] }
06 Run describe-load-balancers command (OSX/Linux/UNIX) using the ARN of the Amazon Application Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the ID of the security group associated with the selected load balancer:
aws elbv2 describe-load-balancers --region us-east-1 --load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd --query 'LoadBalancers[*].SecurityGroups | []'
07 The command output should return the requested security group ID:
[ "sg-01234abcd1234abcd" ]
08 To ensure that the security group associated with your Application Load Balancer (ALB) allows traffic on TCP port 443 (or the custom port that you want to use for HTTPS), run authorize-security-group-ingress command (OSX/Linux/UNIX) to add a new inbound rule that permits HTTPS access (the command does not produce an output):
aws ec2 authorize-security-group-ingress --region us-east-1 --group-id sg-01234abcd1234abcd --protocol tcp --port 443 --cidr 0.0.0.0/0
09 Repeat steps no. 1 – 8 to configure HTTP to HTTPS redirection for other Application Load Balancers (ALBs) available in the selected AWS region.
10 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the Remediation process for other regions.
References
- AWS Documentation
- Application Load Balancers
- Listeners for your Application Load Balancers
- How can I redirect HTTP requests to HTTPS using an Application Load Balancer?
- AWS Command Line Interface (CLI) Documentation
- elbv2
- describe-load-balancers
- describe-listeners
- describe-rules
- modify-listener
- create-listener
- ec2
- authorize-security-group-ingress
- CloudFormation Documentation
- Elastic Load Balancing V2 resource type reference
- Terraform Documentation
- AWS Provider