π‘οΈ AWS ELB Load Balancer listeners are not using a secure protocolπ’
- Contextual name: π‘οΈ Load Balancer listeners are not using a secure protocolπ’
- ID:
/ce/ca/aws/elb/load-balancer-listener-security - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit
- AWS Security Hub: [ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
- Cloud Conformity: ELB Listener Security
Descriptionβ
Descriptionβ
This policy identifies AWS Elastic Load Balancer (ELB) listeners that are configured with insecure protocols. It is recommended to use only secure protocols, such as HTTPS, TLS, SSL, or QUIC, to encrypt communications between clients and load balancers.
Rationaleβ
Using unencrypted protocols allows data to be transmitted in plaintext, which poses a significant security risk. Secure protocols such as HTTPS, TLS and QUIC provide encryption, ensuring that intercepted data cannot be read or modified. QUIC, which underpins HTTP/3, also delivers enhanced security and performance compared to earlier transport mechanisms. Encrypted communication helps prevent man-in-the-middle (MITM) attacks and protects the integrity and confidentiality of data in transit.
Auditβ
This policy flags an AWS ELB Load Balancer as
INCOMPLIANTif any related ELB Load Balancer Listener is not configured to use a secure protocol, such as HTTPS, TLS, SSL, or QUIC.A Listener configured with the TCP protocol on port 443 is marked as
COMPLIANT, as this configuration is commonly used to forward encrypted traffic directly to targets without decrypting it at the load balancer.
Remediationβ
Remediationβ
Create a Secure Listener for an AWS Load Balancerβ
Prerequisitesβ
Before creating a secure listener, ensure you have the following resources configured in the same AWS Region as your load balancer:
- A Validated SSL/TLS Certificate: A certificate issued by AWS Certificate Manager (ACM) and in the ISSUED state.
- Backend Target: An existing target group (for ALB/NLB) or registered instances (for CLB) to forward traffic to.
- Certificate ARN: The Amazon Resource Name (ARN) of your certificate.
- For Application and Network Load Balancers, use the certificate's ACM ARN.
- For Classic Load Balancers, you can use the certificate's IAM Server Certificate ARN. You can find this in the IAM console or via the AWS CLI (
aws iam list-server-certificates).Create a Secure Listenerβ
Use the appropriate command based on the load balancer type.
Application Load Balancerβ
aws elbv2 create-listener \
--load-balancer-arn {{load-balancer-arn}} \
--protocol HTTPS \
... [see more](remediation.md)
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit | 1 | no data | |||
| πΌ AWS Well-Architected β πΌ SEC09-BP01 Implement secure key and certificate management | 5 | no data | |||
| πΌ Cloudaware Framework β πΌ Data Encryption | 66 | no data |