Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ELBv2 NLB Listener Security

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ELBv2-010

Ensure that your Amazon Network Load Balancers (NLBs) are configured to terminate TLS connections in order to optimize the performance of the backend servers while encrypting the communication between the load balancer and the associated targets (i.e. server instances).

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When Transport Layer Security (TLS) termination is enabled, you can offload the encryption and decryption of the TLS traffic from your backend application servers to your Amazon Network Load Balancer, enhancing the performance of your backend servers while keeping the workload secure. Also, by using built-in security policies with optimal TLS versions and ciphers, the application or service behind your Network Load Balancer (NLB) can achieve PCI and FedRAMP compliance.

Audit

To determine if your Network Load Balancers (NLBs) are configured with TLS termination, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose network to list the Network Load Balancers deployed in the current AWS region.

05 Select the Network Load Balancer (NLB) that you want to examine.

06 Choose the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

07 Select the load balancer listener that you want to examine and choose Edit.

08 On the Edit listener page, in the Listener details section, check the protocol selected from the Protocol dropdown list to determine the listener protocol. If the selected protocol is not TLS, the listener configuration is not secure.

09 Repeat steps no. 7 and 8 for each listener configured for the load balancer. If there are no listeners configured with the TLS protocol, the selected Network Load Balancer (NLB) is not using TLS termination.

10 Repeat steps no. 5 – 9 for each Network Load Balancer provisioned within the current AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Network Load Balancer deployed in the selected AWS region: 

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `network`)].LoadBalancerArn | []'

02 The command output should return an array with the requested load balancer ARN(s): 

[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-project5-load-balancer/aabbccddaabbccdd"
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the connection protocol of each listener configured for the selected load balancer: 

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd
  --query 'Listeners[*].Protocol'

04 The command output should return an array with the communication protocol(s) used by the load balancer listener(s): 

[
    "TCP"
]

If the array returned by the describe-listeners command output does not contain "TLS", there are no secure (TLS) listeners configured for the load balancer, therefore the selected Amazon Network Load Balancer (NLB) is not using TLS termination.

05 Repeat steps no. 3 and 4 for each Network Load Balancer provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable Transport Layer Security (TLS) termination for your Amazon Network Load Balancers, update their listener configuration to support the TLS protocol (an X.509 SSL certificate is required). To add a TLS listener to your Network Load Balancer, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Add TLS Listener to Network Load Balancer",
  "Resources": {
    "NetworkLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties" : {
        "Name" : "cc-network-load-balancer",
        "Type" : "network",
        "Scheme" : "internet-facing",
        "IpAddressType" : "ipv4",
        "Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
      }
    },
    "TLSSListener": {
        "Type" : "AWS::ElasticLoadBalancingV2::Listener",
        "Properties" : {
            "Protocol" : "TLS",
            "Port" : 443,
            "LoadBalancerArn": {
                   "Ref" : "NetworkLoadBalancer"
            },
            "DefaultActions": [
                {
                    "Type" : "forward",
                    "TargetGroupArn" : "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444"
                }
            ],
            "SslPolicy" : "ELBSecurityPolicy-TLS13-1-2-2021-06",
            "Certificates" : [
              {
                  "CertificateArn" : "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
              }
            ]
          }
       }
    }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Add TLS Listener to Network Load Balancer
Resources:
  NetworkLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: cc-network-load-balancer
      Type: network
      Scheme: internet-facing
      IpAddressType: ipv4
      Subnets:
        - subnet-01234abcd1234abcd
        - subnet-0abcd1234abcd1234
  TLSSListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      Protocol: TLS
      Port: 443
      LoadBalancerArn: !Ref 'NetworkLoadBalancer'
      DefaultActions:
        - Type: forward
          TargetGroupArn: arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444
      SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
      Certificates:
        - CertificateArn: arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_lb" "network-load-balancer" {
  name               = "cc-network-load-balancer"
  load_balancer_type = "network"
  internal           = false
  ip_address_type    = "ipv4"
  subnets            = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}

# Add TLS Listener to Network Load Balancer
resource "aws_lb_listener" "tls-listener" {
  load_balancer_arn = aws_lb.network-load-balancer.arn
  protocol          = "TLS"
  port              = "443"
  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
  certificate_arn   = "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"

  default_action {
    type             = "forward"
    target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444"
  }
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list all the Network Load Balancers deployed within the current AWS region.

05 Select the Network Load Balancer (NLB) that you want to reconfigure.

06 Select the Listeners tab from the console bottom panel and choose Add listener.

07 On the Add listener setup page, perform the following operations:

  1. From the Protocol dropdown list, select TLS.
  2. (Optional) You can use the default port (i.e. 443) or provide a custom port in the Port box.
  3. For Default actions, select an existing target group or choose Create target group to create a new one. For a Network Load Balancer, the default action is a Forward action that routes requests to the target group that you select at this step.
  4. Choose the following policy from the Security policy dropdown list: ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended), to meet security, compliance, and regulatory requirements. This security policy includes TLS 1.3, which is optimized for security and performance, and is backward compatible with TLS 1.2.
  5. For Default SSL/TLS certificate, choose one of the following options:
    • Choose From ACM and select an existing SSL/TLS certificate purchased via Amazon Certificate Manager (ACM). If you haven’t purchased one yet, choose Request new ACM certificate and the AWS Management Console will redirect your request to the ACM service console where you can buy the required SSL/TLS certificate.
    • Choose From IAM and select an existing SSL/TLS certificate uploaded previously to Amazon IAM.
    • Choose Import and select To ACM to deploy an existing SSL/TLS certificate by pasting the required information (in PEM-encoded format) to the Certificate private key, Certificate body and Certificate chain – optional boxes, information granted by the SSL/TLS provider from which you bought the certificate.
    • Choose Import and select To IAM to deploy an existing SSL/TLS certificate by pasting the required information (in PEM-encoded format) to the Certificate private key, Certificate body and Certificate chain – optional boxes, information granted by the SSL/TLS provider from which you bought the certificate. Once the necessary keys are validated, enter a name for the new certificate in the Certificate name box.
  6. Choose the ALPN policy that you want to use for your new listener from the LPN policy dropdown list. The Application-Layer Protocol Negotiation (ALPN) is a TLS extension that includes the protocol negotiation within the exchange of hello messages. If you choose an HTTP/2Only ALPN policy, make sure your application supports HTTP/2 for TLS target groups.
  7. Choose Add to create the secure TLS listener, then select View listeners to return to the Amazon EC2 console.

08 Repeat steps no. 5 – 7 for each Network Load Balancer that you want to reconfigure, deployed within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Get the Amazon Resource Name (ARN) available for your SSL certificate purchased via Amazon ACM or uploaded to Amazon IAM:

  1. Run list-certificates command (OSX/Linux/UNIX) to list the ARNs of the SSL/TLS certificates purchased using Amazon ACM service: 
    aws acm list-certificates
  --region us-east-1
  --query 'CertificateSummaryList[*].CertificateArn'
  2. The command output should return the requested Amazon Resource Names (ARNs): 
    [
   "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-cccc-dddd-eeee-123456789012"
]
  3. Run list-server-certificates command (OSX/Linux/UNIX) to list the ARNs of the SSL/TLS certificates managed by Amazon IAM service: 
    aws iam list-server-certificates
  --region us-east-1
  --query 'ServerCertificateMetadataList[*].Arn'
  4. The command output should return the requested SSL certificate ARN(s): 
    [
   "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
]

02 Run create-listener command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the SSL/TLS certificate that you want to use as the identifier parameter to create a TLS listener for the selected Network Load Balancer (NLB): 

aws elbv2 create-listener
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd
  --protocol TLS
  --port 443
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06
  --certificates CertificateArn="arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444

03 The command output should return the configuration information available for the new TLS listener: 

{
    "Listeners": [
        {
            "Protocol": "TLS",
            "DefaultActions": [
                {
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444",
                    "Type": "forward"
                }
            ],
            "SslPolicy": "ELBSecurityPolicy-TLS13-1-2-2021-06",
            "Certificates": [
                {
                    "CertificateArn": "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
                }
            ],
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd",
            "Port": 443,
            "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-network-load-balancer/abcdabcdabcdabcd/1122334411223344"
        }
    ]
}

04 Repeat steps no. 1 – 3 for each Network Load Balancer that you want to reconfigure, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Feb 10, 2019

Related ELBv2 rules