🛡️ AWS ELB Application Load Balancer is not configured to redirect HTTP to HTTPS🟢

• Contextual name: 🛡️ Application Load Balancer is not configured to redirect HTTP to HTTPS🟢
• ID: /ce/ca/aws/elb/load-balancer-redirects-http-to-https
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS ELB Load Balancer
  • 🔌 AWS ELB Load Balancer Listener Rule - object.extracts.yaml
  • 🔌 AWS ELB Load Balancer - object.extracts.yaml
  • 🔌 AWS ELB Load Balancer Listener - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

Description

Open File

Description

This policy identifies AWS Application Elastic Load Balancers that have an HTTP listener but do not enforce a redirect to an HTTPS listener on port 443.

Rationale

Unencrypted HTTP traffic is susceptible to interception and man-in-the-middle attacks. Although some applications may handle HTTPS enforcement internally, implementing an HTTP-to-HTTPS redirect at the load balancer level ensures that all client traffic is encrypted before reaching the application servers, providing a consistent and centralized security control.

Audit

This policy flags an AWS ELB Application Load Balancer as INCOMPLIANT if it has an associated HTTP Listener that does not include either:

• a Default Action, or

• a Listener Rule

  configured to redirect traffic to HTTPS on port 443.

Remediation

Open File

Remediation

Enable HTTP-to-HTTPS Redirection

Configure the Application Load Balancer to redirect all HTTP traffic to HTTPS (port 443). This can be achieved either by modifying the HTTP listener’s default action or by adding a high-priority listener rule.

An HTTPS listener on port 443 must already exist on your load balancer, configured with a valid SSL/TLS certificate

Note: Apply these changes only to the HTTP (port 80) listener.

Option 1: Modify the Listener Default Action (Recommended)

This approach changes the default behavior of the HTTP listener so that all requests are permanently redirected (HTTP 301) to HTTPS. Use this when the HTTP listener's sole purpose is redirection

From Command Line

aws elbv2 modify-listener \
    --listener-arn {{listener-arn}} \
    --default-actions '[
        {
            "Type": "redirect",
            "RedirectConfig": {
                "Protocol": "HTTPS",
                "Port": "443",
                "StatusCode": "HTTP_301"
            }
        }
    ]'

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			66		no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	95		no data
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			20		no data
💼 FedRAMP High Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)		1	12		no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			41		no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	23		no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	22		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	40		no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	19		no data
💼 FedRAMP Low Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)			12		no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		23		no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			22		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			40		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		79		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			20		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)			12		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			41		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		23		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			22		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			40		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			19		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			162		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			81		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			173		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			149		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			169		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			112		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	110		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		12	20		no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-5(1) Authenticator Management _ Password-based Authentication			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			41		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8 Transmission Confidentiality and Integrity	5	8	23		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	21		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			14		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys			9		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		29		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23 Session Authenticity	5		13		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			25		no data
💼 PCI DSS v3.2.1 → 💼 2.3 Encrypt all non-console administrative access using strong cryptography.		3	10		no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	27		no data
💼 PCI DSS v4.0.1 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.			10		no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		27		no data
💼 PCI DSS v4.0 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.		4	10		no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	27		no data