|   Trend Micro Cloud One™
Open menu

App-Tier ELB Listener Security

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base Amazon Web Services Elastic Load Balancing App-Tier ELB Listener Security
Risk level: High (not acceptable risk)
Rule ID: ELB-018

Ensure that your app-tier Elastic Load Balancer (ELB) listeners are using the HTTPS/SSL protocol to encrypt the communication between your application clients and the load balancer. This conformity rule assumes that all AWS resources provisioned within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When an app-tier AWS ELB has no HTTPS/SSL listeners, the front-end connection between the clients and the load balancer is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when the application is working with sensitive data such as health and personal records, credentials and credit card numbers. Using an HTTPS/SSL listener for the ELBs within your app tier will ensure that the application traffic between the client and the load balancer is encrypted over the SSL\TLS, and the transmitted data is secured.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To check your app-tier AWS ELB listeners for secure configurations, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access App-Tier ELB Listener Security conformity rule settings and copy the tags defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under LOAD BALANCING, click Load Balancers.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering technique will return only the ELBs tagged for the app tier. If no results are returned, there are no ELBs tagged within your app tier and the audit process ends here. If the EC2 dashboard lists one or more load balancers, continue the audit process with the next step.

06 Select the app-tier load balancer that you want to examine.

07 Select the Listeners tab from the bottom panel.

08 Under Load Balancer Protocol column, check the protocol for each listener created. If there is no listener using either the HTTPS (Secure HTTP) or the SSL (Secure TCP) protocol, the listeners configuration for the selected app-tier ELB is not secure and the front-end connection between the client and the load balancer is not encrypted.

09 Repeat steps no. 6 – 8 to verify other ELBs provisioned within your app tier for secure configurations.

10 Change the AWS region from the navigation bar and repeat steps no. 5 – 9 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access App-Tier ELB Listener Security conformity rule settings and copy the tags defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs provisioned in the selected AWS region: 

aws elb describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested ELB names: 

--------------------------
|  DescribeLoadBalancers |
+------------------------+
|  cc-app-load-balancer  |
|  cc-internal-app-elb   |
+------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the ELB selected resource: 

aws elb describe-tags
	--region us-east-1
	--load-balancer-name cc-app-load-balancer
	--query 'TagDescriptions[*].Tags[]'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified ELB is not tagged, therefore the audit process for the selected resource stops here: 
    []
  2. If the command output returns a set of tags that is different than the one copied at step no. 1, the verified ELB does not belong to your app tier, therefore the audit process for the selected resource stops here: 
    [
    {
        "Value": "Name",
        "Key": "CC Test ELB"
    }
]
  3. If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified AWS ELB is tagged as a app-tier resource, therefore the audit process continues with the next step. 
    [
    {
        "Value": "<app_tier_tag_value>",
        "Key": "<app_tier_tag>"
    }
]

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the app-tier ELB identified at the previous step to describe the resource listeners configuration and determine if the selected app-tier ELB is using secure listeners (HTTPS or SSL): 

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name cc-app-load-balancer
	--query "LoadBalancerDescriptions[*].{ListenerDescriptions:ListenerDescriptions[?Listener.Protocol == 'HTTPS' || Listener.Protocol == 'SSL']}"

07 The command output should list the HTTPS/SSL listeners configuration details for the selected load balancer: 

[
    {
        "ListenerDescriptions": []
    }
]

If value of the "ListenerDescriptions" object is an empty array, as shown in the example above, the current configuration is not using the HTTPS (Secure HTTP) protocol or the SSL (Secure TCP) protocol, therefore the listeners configuration for the selected app-tier ELB is not secure and the front-end traffic is not encrypted.

08 Repeat step no. 6 and 7 to verify other ELBs provisioned within your app tier for secure configurations.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the audit process for other regions.

Remediation / Resolution

To secure the connection between the application clients and app-tier load balancer by using SSL encryption, update your ELB configuration to use listeners with HTTPS or SSL protocols. To implement HTTPS/SSL protocol for your app-tier ELB listeners, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the app-tier ELB that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Listeners tab from the bottom panel and click the Edit button under the available listener(s).

06 Inside the Edit listeners dialog box, click Add to add a new entry.

07 In the Load Balancer Protocol dropdown list, select either HTTPS (Secure HTTP) or SSL (Secure TCP).

08 In the Cipher column, click Change and make sure the latest Predefined Security Policy selected is ELBSecurityPolicy-2016-08 (recommended). If you want to use a custom policy, select Custom Security Policy and configure your own policy. If you need to apply any changes click Save, otherwise click Cancel to return to the Edit listeners dialog box.

09 In the SSL Certificate column, click Change and select one of the following options:

  1. Choose a certificate from ACM (recommended) - to use an existing SSL certificate purchased via Amazon Certificate Manager (ACM). If you haven’t purchased yet any SSL certificates you can request one by clicking Request a new ACM certificate link and AWS will redirect your request to the ACM dashboard where you can buy the required certificate. Click Save to apply the selected certificate.
  2. Choose a certificate from IAM - to use an existing SSL certificate uploaded previously to AWS IAM using the AWS console. Select the name of the SSL certificate that you want install from the Certificate dropdown list. Click Save to apply the changes.
  3. Upload a certificate to IAM - deploy an SSL certificate purchased from a third-party provider by entering the required information (pem encoded) within the Private Key, Certificate body and Certificate chain boxes, information made available by the SSL provider from which you bought the certificate. Make sure you type a unique name for the uploaded SSL certificate in the Certificate name box. Click Save to apply the installed SSL certificate.

10 Back to the Edit listeners dialog box, review the secure listeners configuration, then click Save. If successful, the following message will be displayed: “Finished updating listeners. Your listeners have been successfully updated.”. Click Close to return to the EC2 dashboard.

11 Repeat steps no. 4 – 10 for each app-tier ELB that needs to secure its front-end traffic, created in the selected region.

12 Change the AWS region from the navigation bar and repeat steps no. 4 – 11 for other regions.

Using AWS CLI

01 Depending on the AWS service used to manage your SSL certificates, perform one of the following actions:

  1. Get the Amazon Resource Name (ARN) of the SSL certificate(s) purchased via AWS ACM. The certificate ARN will be required later when secure listeners will be created:
    • Run list-certificates command (OSX/Linux/UNIX) to describe the ARN(s) and domain name(s) of the SSL certificate(s) purchased with AWS ACM: 
      aws acm list-certificates
	--region us-east-1
    • The command output should return the requested certificate(s) information: 
      {
   "CertificateSummaryList": [
      {
       "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
       "DomainName": "www.cloudconformity.com"
      }
   ]
}
  2. Get the ARN of the SSL certificate(s) uploaded to AWS IAM:
    • Run list-server-certificates command (OSX/Linux/UNIX) to describe the metadata (certificate ARN(s), name(s), etc), available for the SSL certificate(s) uploaded to AWS IAM: 
      aws iam list-server-certificates
    • The command output should return the requested metadata: 
      {
    "ServerCertificateMetadataList": [
        {
            "ServerCertificateName": "cc-main-ssl-certificate",
            "Expiration": "2019-11-09T23:59:59Z",
            "Path": "/",
            "Arn": "arn:aws:iam::123456789012:server-certificate/cc-main-ssl-certificate",
            "UploadDate": "2018-03-03T10:51:08Z"
        }
    ]
}

02 Run create-load-balancer-listeners command (OSX/Linux/UNIX) to create a new HTTPS listener for the selected app-tier ELB using the SSL certificate identified at the previous step. The following command example will create a front-end HTTPS listener for a app-tier ELB named "cc-app-load-balancer" using an SSL certificate identified by the ARN "arn:aws:iam::123456789012:server-certificate/cc-main-ssl-certificate" (the command does not produce an output): 

aws elb create-load-balancer-listeners
	--region us-east-1
	--load-balancer-name cc-app-load-balancer
	--listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=arn:aws:iam::123456789012:server-certificate/cc-main-ssl-certificate

03 Repeat step no. 2 for each app-tier ELB that needs to secure its front-end traffic, available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

References

Publication date Mar 8, 2018

Related ELB rules

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base

Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

App-Tier ELB Listener Security

Risk level: High