- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing V2
- ELBv2 ALB Listener Security
Check your Application Load Balancer listeners for secure configurations. Trend Cloud One™ – Conformity strongly recommends using the HTTPS (Secure HTTP) protocol to encrypt the communication between your application clients and your Amazon Application Load Balancer (ALB).
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Security When an Application Load Balancer (ALB) has no HTTPS listeners, the front-end connection between the clients and the load balancer is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when your application is working with sensitive data such as health and personal records, user credentials and credit card information.
Audit
To determine if your Application Load Balancers (ALBs) are using secure listeners, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.
05 Select the Application Load Balancer (ALB) that you want to examine.
06 Choose the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.
07 Select the load balancer listener that you want to examine and choose Edit.
08 On the Edit listener page, in the Listener details section, check the protocol selected from the Protocol dropdown list to determine the listener protocol. If the selected protocol is not HTTPS, the verified listener is not secure.
09 Repeat steps no. 7 and 8 for each listener configured for the load balancer. If there are no listeners configured with the HTTPS protocol, the network connection between the application clients and the selected Application Load Balancer (ALB) is not encrypted.
10 Repeat steps no. 5 – 9 for each Application Load Balancer provisioned within the current AWS region.
11 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Application Load Balancer available in the selected AWS region:
aws elbv2 describe-load-balancers --region us-east-1 --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn | []'
02 The command output should return an array with the requested load balancer ARN(s):
[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-load-balancer/aaaabbbbccccdddd"
]
03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the connection protocol of each listener configured for the selected load balancer:
aws elbv2 describe-listeners --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd --query 'Listeners[*].Protocol'
04 The command output should return an array with the communication protocol(s) used by the load balancer listener(s):
[
"HTTP"
]
If the array returned by the describe-listeners command output does not contain "HTTPS", there are no listeners configured with the HTTPS protocol, therefore the network connection between the application clients and the selected Application Load Balancer (ALB) is not encrypted.
05 Repeat steps no. 3 and 4 for each Application Load Balancer provisioned in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To secure (encrypt) the connection between your application clients and your load Application Load Balancers, update the listener configuration to support the HTTPS protocol (an X.509 SSL certificate is required). To add an HTTPS listener to your Application Load Balancer, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Add HTTPS Listener to Application Load Balancer",
"Resources": {
"ApplicationLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {
"Name" : "cc-internet-facing-load-balancer",
"Type" : "application",
"Scheme" : "internet-facing",
"IpAddressType" : "ipv4",
"SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
"Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
}
},
"HTTPSListener": {
"Type" : "AWS::ElasticLoadBalancingV2::Listener",
"Properties" : {
"Protocol" : "HTTPS",
"Port" : 443,
"LoadBalancerArn": {
"Ref" : "ApplicationLoadBalancer"
},
"DefaultActions": [
{
"Type" : "forward",
"TargetGroupArn" : "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd"
}
],
"SslPolicy" : "ELBSecurityPolicy-FS-1-2-Res-2020-10",
"Certificates" : [
{
"CertificateArn" : "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
}
]
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Add HTTPS Listener to Application Load Balancer
Resources:
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: cc-internet-facing-load-balancer
Type: application
Scheme: internet-facing
IpAddressType: ipv4
SecurityGroups:
- sg-0abcdabcdabcdabcd
Subnets:
- subnet-01234abcd1234abcd
- subnet-0abcd1234abcd1234
HTTPSListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
Protocol: HTTPS
Port: 443
LoadBalancerArn: !Ref 'ApplicationLoadBalancer'
DefaultActions:
- Type: forward
TargetGroupArn: arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd
SslPolicy: ELBSecurityPolicy-FS-1-2-Res-2020-10
Certificates:
- CertificateArn: arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_lb" "application-load-balancer" {
name = "cc-internet-facing-load-balancer"
load_balancer_type = "application"
internal = false
ip_address_type = "ipv4"
security_groups = ["sg-0abcdabcdabcdabcd"]
subnets = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}
# Add HTTPS Listener to Application Load Balancer
resource "aws_lb_listener" "https-listener" {
load_balancer_arn = aws_lb.application-load-balancer.arn
protocol = "HTTPS"
port = "443"
ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
default_action {
type = "forward"
target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd"
}
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list all the Application Load Balancers available in the current AWS region.
05 Select the Application Load Balancer (ALB) that you want to reconfigure.
06 Select the Listeners tab from the console bottom panel and choose Add listener.
07 On the Add listener setup page, perform the following actions:
- From the Protocol dropdown list, select HTTPS.
- (Optional) You can provide a custom port in the Port box.
- For Default actions, select and configure the default action(s) for the traffic managed by the listener.
- Choose one of the following policies from the Security policy dropdown list: ELBSecurityPolicy-FS-1-2-Res-2020-10, ELBSecurityPolicy-FS-1-2-Res-2019-08 or ELBSecurityPolicy-FS-1-2-2019-08 in order to meet security, compliance, and regulatory requirements.
- For Default SSL/TLS certificate, choose one of the following options:
- Choose From ACM and select an existing SSL certificate purchased via Amazon Certificate Manager (ACM). If you haven’t purchased one yet, choose Request new ACM certificate and the AWS Management Console will redirect your request to the ACM service console where you can buy the required SSL/TLS certificate.
- Choose From IAM and select an existing SSL/TLS certificate uploaded previously to Amazon IAM.
- Choose Import and select To ACM to deploy an existing SSL certificate by pasting the required information (in PEM-encoded format) to the Certificate private key, Certificate body and Certificate chain – optional boxes, information granted by the SSL provider from which you bought the certificate.
- Choose Import and select To IAM to deploy an existing SSL certificate by pasting the required information (in PEM-encoded format) to the Certificate private key, Certificate body and Certificate chain – optional boxes, information granted by the SSL provider from which you bought the certificate. Once the necessary keys are validated, enter a name for the new certificate in the Certificate name box.
- Choose Add to create the secure listener, then select View listeners to return to the Amazon EC2 console.
08 Repeat steps no. 5 – 7 for each Application Load Balancer that you want to reconfigure, available within the current AWS region.
09 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Get the Amazon Resource Name (ARN) available for your SSL certificate purchased via Amazon ACM or uploaded to Amazon IAM:
- Run list-certificates command (OSX/Linux/UNIX) to list the ARNs of the SSL certificates purchased using Amazon ACM service:
aws acm list-certificates --region us-east-1 --query 'CertificateSummaryList[*].CertificateArn'
- The command output should return the requested Amazon Resource Names (ARNs):
[ "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-cccc-dddd-eeee-123456789012" ]
- Run list-server-certificates command (OSX/Linux/UNIX) to list the ARNs of the SSL certificates managed by Amazon IAM service:
aws iam list-server-certificates --region us-east-1 --query 'ServerCertificateMetadataList[*].Arn'
- The command output should return the requested SSL certificate ARN(s):
[ "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate" ]
02 Run create-listener command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the SSL certificate that you want to use as the identifier parameter to create a HTTPS (secure) listener for the selected Application Load Balancer (ALB):
aws elbv2 create-listener --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd --protocol HTTPS --port 443 --ssl-policy ELBSecurityPolicy-FS-1-2-Res-2020-10 --certificates CertificateArn="arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate" --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd
03 The command output should return the configuration information available for the new HTTPS listener:
{
"Listeners": [
{
"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd/0abcd1234abcd1234",
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
"Port": 443,
"Protocol": "HTTPS",
"Certificates": [
{
"CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
}
],
"SslPolicy": "ELBSecurityPolicy-FS-1-2-Res-2020-10",
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/abcd1234abcd1234",
"ForwardConfig": {
"TargetGroups": [
{
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/abcd1234abcd1234",
"Weight": 1
}
],
"TargetGroupStickinessConfig": {
"Enabled": false
}
}
}
]
}
]
}
04 Repeat steps no. 1 – 3 for each Application Load Balancer that you want to reconfigure, available in the selected AWS region.
05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Application Load Balancers
- Listeners for Your Application Load Balancers
- Create an HTTP listener for your Application Load Balancer
- Create an HTTPS listener for your Application Load Balancer
- AWS Command Line Interface (CLI) Documentation
- elbv2
- describe-load-balancers
- describe-listeners
- create-listener
- list-certificates
- list-server-certificates
- CloudFormation Documentation
- Elastic Load Balancing V2 resource type reference
- Terraform Documentation
- AWS Provider