- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing V2
- ELBv2 NLB Listener Security
Ensure that your Amazon Network Load Balancers (NLBs) are configured to terminate TLS connections in order to optimize the performance of the backend servers while encrypting the communication between the load balancer and the associated targets (i.e. server instances).
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Security When Transport Layer Security (TLS) termination is enabled, you can offload the encryption and decryption of the TLS traffic from your backend application servers to your Amazon Network Load Balancer, enhancing the performance of your backend servers while keeping the workload secure. Also, by using built-in security policies with optimal TLS versions and ciphers, the application or service behind your Network Load Balancer (NLB) can achieve PCI and FedRAMP compliance.
Audit
To determine if your Network Load Balancers (NLBs) are configured with TLS termination, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose network to list the Network Load Balancers deployed in the current AWS region.
05 Select the Network Load Balancer (NLB) that you want to examine.
06 Choose the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.
07 Select the load balancer listener that you want to examine and choose Edit.
08 On the Edit listener page, in the Listener details section, check the protocol selected from the Protocol dropdown list to determine the listener protocol. If the selected protocol is not TLS, the listener configuration is not secure.
09 Repeat steps no. 7 and 8 for each listener configured for the load balancer. If there are no listeners configured with the TLS protocol, the selected Network Load Balancer (NLB) is not using TLS termination.
10 Repeat steps no. 5 – 9 for each Network Load Balancer provisioned within the current AWS region.
11 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Network Load Balancer deployed in the selected AWS region:
aws elbv2 describe-load-balancers --region us-east-1 --query 'LoadBalancers[?(Type == `network`)].LoadBalancerArn | []'
02 The command output should return an array with the requested load balancer ARN(s):
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd", "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-project5-load-balancer/aabbccddaabbccdd" ]
03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the connection protocol of each listener configured for the selected load balancer:
aws elbv2 describe-listeners --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd --query 'Listeners[*].Protocol'
04 The command output should return an array with the communication protocol(s) used by the load balancer listener(s):
[
"TCP"
]
If the array returned by the describe-listeners command output does not contain "TLS", there are no secure (TLS) listeners configured for the load balancer, therefore the selected Amazon Network Load Balancer (NLB) is not using TLS termination.
05 Repeat steps no. 3 and 4 for each Network Load Balancer provisioned in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To enable Transport Layer Security (TLS) termination for your Amazon Network Load Balancers, update their listener configuration to support the TLS protocol (an X.509 SSL certificate is required). To add a TLS listener to your Network Load Balancer, perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Add TLS Listener to Network Load Balancer",
"Resources": {
"NetworkLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {
"Name" : "cc-network-load-balancer",
"Type" : "network",
"Scheme" : "internet-facing",
"IpAddressType" : "ipv4",
"Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
}
},
"TLSSListener": {
"Type" : "AWS::ElasticLoadBalancingV2::Listener",
"Properties" : {
"Protocol" : "TLS",
"Port" : 443,
"LoadBalancerArn": {
"Ref" : "NetworkLoadBalancer"
},
"DefaultActions": [
{
"Type" : "forward",
"TargetGroupArn" : "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444"
}
],
"SslPolicy" : "ELBSecurityPolicy-TLS13-1-2-2021-06",
"Certificates" : [
{
"CertificateArn" : "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
}
]
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Add TLS Listener to Network Load Balancer
Resources:
NetworkLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: cc-network-load-balancer
Type: network
Scheme: internet-facing
IpAddressType: ipv4
Subnets:
- subnet-01234abcd1234abcd
- subnet-0abcd1234abcd1234
TLSSListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
Protocol: TLS
Port: 443
LoadBalancerArn: !Ref 'NetworkLoadBalancer'
DefaultActions:
- Type: forward
TargetGroupArn: arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444
SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
Certificates:
- CertificateArn: arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_lb" "network-load-balancer" {
name = "cc-network-load-balancer"
load_balancer_type = "network"
internal = false
ip_address_type = "ipv4"
subnets = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}
# Add TLS Listener to Network Load Balancer
resource "aws_lb_listener" "tls-listener" {
load_balancer_arn = aws_lb.network-load-balancer.arn
protocol = "TLS"
port = "443"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
default_action {
type = "forward"
target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444"
}
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list all the Network Load Balancers deployed within the current AWS region.
05 Select the Network Load Balancer (NLB) that you want to reconfigure.
06 Select the Listeners tab from the console bottom panel and choose Add listener.
07 On the Add listener setup page, perform the following operations:
- From the Protocol dropdown list, select TLS.
- (Optional) You can use the default port (i.e. 443) or provide a custom port in the Port box.
- For Default actions, select an existing target group or choose Create target group to create a new one. For a Network Load Balancer, the default action is a Forward action that routes requests to the target group that you select at this step.
- Choose the following policy from the Security policy dropdown list: ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended), to meet security, compliance, and regulatory requirements. This security policy includes TLS 1.3, which is optimized for security and performance, and is backward compatible with TLS 1.2.
- For Default SSL/TLS certificate, choose one of the following options:
- Choose From ACM and select an existing SSL/TLS certificate purchased via Amazon Certificate Manager (ACM). If you haven’t purchased one yet, choose Request new ACM certificate and the AWS Management Console will redirect your request to the ACM service console where you can buy the required SSL/TLS certificate.
- Choose From IAM and select an existing SSL/TLS certificate uploaded previously to Amazon IAM.
- Choose Import and select To ACM to deploy an existing SSL/TLS certificate by pasting the required information (in PEM-encoded format) to the Certificate private key, Certificate body and Certificate chain – optional boxes, information granted by the SSL/TLS provider from which you bought the certificate.
- Choose Import and select To IAM to deploy an existing SSL/TLS certificate by pasting the required information (in PEM-encoded format) to the Certificate private key, Certificate body and Certificate chain – optional boxes, information granted by the SSL/TLS provider from which you bought the certificate. Once the necessary keys are validated, enter a name for the new certificate in the Certificate name box.
- Choose the ALPN policy that you want to use for your new listener from the LPN policy dropdown list. The Application-Layer Protocol Negotiation (ALPN) is a TLS extension that includes the protocol negotiation within the exchange of hello messages. If you choose an HTTP/2Only ALPN policy, make sure your application supports HTTP/2 for TLS target groups.
- Choose Add to create the secure TLS listener, then select View listeners to return to the Amazon EC2 console.
08 Repeat steps no. 5 – 7 for each Network Load Balancer that you want to reconfigure, deployed within the current AWS region.
09 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Get the Amazon Resource Name (ARN) available for your SSL certificate purchased via Amazon ACM or uploaded to Amazon IAM:
- Run list-certificates command (OSX/Linux/UNIX) to list the ARNs of the SSL/TLS certificates purchased using Amazon ACM service: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws acm list-certificates --region us-east-1 --query 'CertificateSummaryList[*].CertificateArn'
- The command output should return the requested Amazon Resource Names (ARNs): 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[ "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-cccc-dddd-eeee-123456789012" ]
- Run list-server-certificates command (OSX/Linux/UNIX) to list the ARNs of the SSL/TLS certificates managed by Amazon IAM service: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws iam list-server-certificates --region us-east-1 --query 'ServerCertificateMetadataList[*].Arn'
- The command output should return the requested SSL certificate ARN(s): 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[ "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate" ]
02 Run create-listener command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the SSL/TLS certificate that you want to use as the identifier parameter to create a TLS listener for the selected Network Load Balancer (NLB):
aws elbv2 create-listener --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd --protocol TLS --port 443 --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 --certificates CertificateArn="arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate" --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444
03 The command output should return the configuration information available for the new TLS listener:
{
"Listeners": [
{
"Protocol": "TLS",
"DefaultActions": [
{
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444",
"Type": "forward"
}
],
"SslPolicy": "ELBSecurityPolicy-TLS13-1-2-2021-06",
"Certificates": [
{
"CertificateArn": "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
}
],
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd",
"Port": 443,
"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-network-load-balancer/abcdabcdabcdabcd/1122334411223344"
}
]
}
04 Repeat steps no. 1 – 3 for each Network Load Balancer that you want to reconfigure, available in the selected AWS region.
05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Listeners for Your Network Load Balancers
- TLS Listeners for Your Network Load Balancer
- Update a Listener for Your Network Load Balancer
- Target Groups for Your Network Load Balancers
- AWS Command Line Interface (CLI) Documentation
- elbv2
- describe-load-balancers
- describe-listeners
- create-listener
- list-certificates
- list-server-certificates
- AWS Blog(s)
- New – TLS Termination for Network Load Balancers
- Network Load Balancer Now Supports TLS Termination
- CloudFormation Documentation
- Elastic Load Balancing V2 resource type reference
- Terraform Documentation
- AWS Provider