Logo of Trend Micro

ELB Listener Security

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: ELB-008

Check your Elastic Load Balancers (ELBs) listeners for insecure configurations. Cloud Conformity recommends only using secure protocols, such as HTTPS or SSL, to encrypt the communication between the client and your load balancers.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When an ELB has any listeners that are not configured to use a secure protocol, such as HTTPS or SSL, the front-end connection between the client and the load balancer is vulnerable to eavesdropping and man-in-the-middle (MITM) attacks. The risk becomes even higher when transmitting sensitive private data such as credit card numbers. If your ELBs are using insecure listeners, such as HTTP, apply the information provided in this guide (see Remediation/Resolution section) to update their configuration.

Audit

To determine if your load balancers are only using secure listeners, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the Elastic Load Balancer that you want to examine.

05 Select the Listeners tab from the bottom panel.

06 Under Load Balancer Protocol column, check the protocol for each listener available. If there is no listener using the HTTPS or SSL protocol, the selected ELB listeners configuration is not secure (the front-end connection is not encrypted).

check the protocol for each listener available. If there is no listener using the HTTPS or SSL protocol

07 Repeat steps 4, 5 and 6 for each load balancer available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) to check if the ELB selected is using secure listeners (HTTPS or SSL). The following example returns the listeners metadata for an ELB called MyWebELB available in the US East region: 

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name MyWebELB
	--query 'LoadBalancerDescriptions[*].ListenerDescriptions'

02 The command output should list the ELB listeners details. Check the Protocol parameter value - if there is no listener using the HTTPS or SSL protocol, the listeners configuration is not secure: 

[
    [
        {
            "Listener": {
                "InstancePort": 80,
                "LoadBalancerPort": 80,
                "Protocol": "HTTP",
                "InstanceProtocol": "HTTP"
            },
            "PolicyNames": []
        }
    ]
]

03 Repeat step no. 1 for each load balancer available in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To secure the connection between the client and the load balancer, update each ELB configuration to use listeners with HTTPS or SSL protocols (an X.509 SSL certificate is required). To implement HTTPS / SSL for your ELBs front-end listeners, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the Elastic Load Balancer that you want to examine.

05 Select the Listeners tab from the bottom panel and click the Edit button under the available listener(s).

06 In the Edit listeners dialog box, click Add to add a new entry.

07 In the Load Balancer Protocol dropdown list, select HTTPS (Secure HTTP).

08 Under the Cipher column, click Change and make sure the latest Predefined Security Policy is selected. If you need to use a custom policy, select Custom Security Policy and configure your own policy. If you apply any changes in this section click Save, otherwise click Cancel to return to the Edit listeners dialog box.

09 Under the SSL Certificate column, click Change and select one of the following options:

  1. Choose an existing certificate from AWS Certificate Manager (ACM) - to use an existing SSL certificate purchased via AWS Certificate Manager. If you haven’t purchased any SSL certificates you can click Request a new ACM certificate link and AWS will redirect your request to the ACM dashboard where you can buy the certificate.
  2. Choose an existing certificate from AWS Identity and Access Management (IAM) - to use an existing SSL certificate uploaded previously to AWS IAM through the ELB dashboard. Select the certificate name from the Certificate dropdown list: Select the certificate name from the Certificate dropdown list
  3. Upload a new SSL certificate to AWS Identity and Access Management (IAM) - deploy an SSL certificate purchased by entering the required information: deploy an SSL certificate purchased by entering the required informationgranted by the SSL provider from which you bought the certificate.

10 Click Save to apply the selected SSL certificate.

11 Back to the Edit listeners dialog box, review the listeners configuration and click Save. If successful, the following message will be displayed: “Finished updating listeners. Your listeners have been successfully updated.”.

12 Click Close. The configuration should update and list the new HTTPS listener:

The configuration should update now and list the new HTTPS listener

13 Repeat steps 4 – 11 for each load balancer available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Retrieve the Amazon Resource Name (ARN) for your SSL certificate purchased via AWS ACM or uploaded to AWS IAM:

  1. Run list-certificates command (OSX/Linux/UNIX) to expose the SSL certificate ARN available via AWS ACM: 
    aws acm list-certificates 
	--region us-east-1
  2. The command output should return each SSL certificate metadata, purchased via AWS ACM in US East region: 
    {
   "CertificateSummaryList": [
      {
       "CertificateArn": "arn:aws:acm:us-east-1:123456789012:
        certificate/47205532-4462-1259-4050-123456789012",
            "DomainName": "www.domain.com"
      }
   ]
}
  3. Run list-server-certificates command (OSX/Linux/UNIX) to expose the SSL certificate ARN available via AWS IAM: 
    aws iam list-server-certificates
  4. The command output should return each SSL certificate metadata, available via AWS IAM: 
    {
    "ServerCertificateMetadataList": [
        {
            "ServerCertificateName": "MySSLCertificate",
            "Expiration": "2016-12-07T23:59:59Z",
            "Path": "/",
            "Arn": "arn:aws:iam::123456789012:
                    server-certificate/MySSLCertificate",
            "UploadDate": "2016-04-01T11:56:08Z"
        }
    ]
}

02 Run create-load-balancer-listeners command (OSX/Linux/UNIX) to create a new HTTPS listener for the selected load balancer using the SSL certificate ARN listed earlier. The following example will create a HTTPS front-end listener for an ELB called MyWebELB using the SSL certificate with the ARN named arn:aws:iam::123456789012:server-certificate/MySSLCertificate (the command does not return any output):

aws elb create-load-balancer-listeners
	--region us-east-1
	--load-balancer-name MyWebELB
	--listeners Protocol=HTTPS, LoadBalancerPort=443, InstanceProtocol=HTTP, InstancePort=80, SSLCertificateId=arn:aws:iam::123456789012:server-certificate/MySSLCertificate

References

Publication date Apr 28, 2016

Related ELB rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

ELB Listener Security

Risk level: High