Enable HTTP to HTTPS Redirect for Application Load Balancers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: ELBv2-011

Ensure that your Amazon Application Load Balancers (ALBs) are configured to redirect HTTP traffic (port 80) to HTTPS (port 443) in order to follow security best practices and meet compliance requirements.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Redirecting HTTP traffic to HTTPS within your Application Load Balancer (ALB) listeners' configuration simplifies deployments while benefiting from the scale, the availability, and the reliability of Amazon Elastic Load Balancing. The ALB's capability to redirect HTTP requests to HTTPS allows you to meet your compliance goal of secure browsing and achieve better search ranking and high SSL/TLS score for your websites/web applications.


Audit

To determine if your Application Load Balancers (ALBs) are configured to redirect HTTP traffic to HTTPS, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Select the Application Load Balancer that you want to examine. An Application Load Balancer (ALB) has the Type attribute value set to application in the Type column.

05 Select the Listeners tab to access the list of listeners configured for the selected load balancer.

06 Choose the HTTP listener and check the listener rule(s) listed in the Rules column. If the HTTP listener does not have a rule that contains the "redirecting to HTTPS://#{host}:<port>/#{path}?#{query}" action, the selected Amazon Application Load Balancer (ALB) is not configured to redirect HTTP traffic to HTTPS.

07 Repeat steps no. 4 – 6 for each Application Load Balancer created within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of all the Application Load Balancers (ALBs) available in the selected AWS region:

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn'

02 The command output should return an array with the requested ALB ARN(s):

[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-webapp-endpoint-alb/abcd1234abcd1234"
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the Amazon Application Load Balancer that you want to examine as identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the HTTP listener configured for the selected load balancer:

aws elbv2 describe-listeners
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd
	--query 'Listeners[?(Protocol == `HTTP`)].ListenerArn'

04 The command output should return the ARN of the HTTP load balancer listener:

[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-web-production-alb/abcdabcdabcdabcd/abcd1234abcd1234"
]

05 To redirect HTTP traffic to HTTPS, the HTTP listener must have a rule that contains the following redirect action:

[
    {
        "Type": "redirect",
        "RedirectConfig": {
            "Protocol": "HTTPS",
            "Host": "#{host}",
            "Query": "#{query}",
            "Path": "/#{path}",
            "Port": "<port>",
            "StatusCode": "HTTP_301"
        }
    }
]

06 Run describe-rules command (OSX/Linux/UNIX) using the ARN of the HTTP listener returned at the previous step as identifier parameter, to describe the rule(s) actions defined for the HTTP listener:

aws elbv2 describe-rules
	--region us-east-1
	--listener-arn "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-web-production-alb/abcdabcdabcdabcd/abcd1234abcd1234"
	--query 'Rules[*].Actions | []'

07 The command output should return the rule(s) actions configured for the requested listener:

[
    {
        "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-production-target-group/1234abcd1234abcd",
        "Type": "forward",
        "ForwardConfig": {
            "TargetGroupStickinessConfig": {
                "Enabled": false
            },
            "TargetGroups": [
                {
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-production-target-group/1234abcd1234abcd",
                    "Weight": 1
                }
            ]
        }
    }
]

If the describe-rules command output does not contain a redirect action like the one listed at step no. 5, the selected Amazon Application Load Balancer (ALB) is not configured to redirect HTTP traffic to HTTPS.

08 Repeat steps no. 3 – 7 for each Application Load Balancer deployed in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To configure your existing Amazon Application Load Balancers (ALBs) to redirect HTTP traffic to HTTPS, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Select the Application Load Balancer that you want to reconfigure (see Audit section part I to identify the right load balancer).

05 Select the Listeners tab to access the list of listeners configured for the load balancer.

06 Click on the View/edit rules link available in the Rules column for the HTTP listener.

07 On the Rules page, perform the following actions:

  1. Choose Edit rules tab, and click on the edit rule icon to modify the existing default rule in order to redirect all HTTP requests to HTTPS.
  2. Within the Edit Rule mode, under THEN, delete the existing condition.
  3. Choose Add action to add the new condition with the Redirect to action.
  4. In the Redirect to action configuration box, enter 443 for the HTTPS port and keep the defaults for the remaining options.
  5. Click on the checkmark icon to save the configuration changes.
  6. Choose Update to apply the changes to the selected load balancer listener rule.

08 the selected Amazon Application Load Balancer (ALB) is not configured to redirect HTTP traffic to HTTPS.

09 Go back to the Listeners panel and choose Add listener to create an HTTPS listener. If you already have an HTTPS listener with a rule that forwards requests to the load balancer target group, skip to step no. 11.

10 On the Listeners setup page, perform the following:

  1. For Protocol: port, choose HTTPS. The default port (i.e. 443) will be configured.
  2. For Default actions, choose Add action, and select Forward to.
  3. Select the name of the target group that hosts the application instances from the Target group dropdown list.
  4. Select the latest predefined security policy that's best suited for your configuration, from the Security policy dropdown list.
  5. Choose the required SSL certificate from the Default SSL certificate dropdown list. If you don't have one yet, request new ACM certificate.
  6. Choose Add listener to add the save the HTTPS listener.

11 To ensure that the security group associated with your Application Load Balancer allows traffic on TCP port 443, perform the following actions:

  1. Select the Description tab to access the load balancer configuration information.
  2. In the Security section, click on the ID (link) of the security group attached to your load balancer, to redirect you to the security group resource.
  3. On the selected security group page, choose the Inbound tab, and verify all the TCP inbound rules. The selected security group must have an inbound rule that allows traffic for both HTTP and HTTPS. If there are no HTTPS inbound rules, perform the following actions to create one:
    • Choose Edit to modify the inbound rules configuration.
    • Choose Add rule to create a new inbound rule.
    • For Type, select HTTPS.
    • For Source, select Anywhere.
    • Choose Save to save the changes.

12 Repeat steps no. 4 – 11 to configure HTTP to HTTPS redirection for other Application Load Balancers (ALBs) available within the current AWS region.

13 Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Define the HTTP listener rule configuration that redirects HTTP traffic to HTTPS for the selected Amazon Application Load Balancer. Save the configuration document to a JSON file named cc-redirect-config.json:

[
    {
        "Type": "redirect",
        "Order": 1,
        "RedirectConfig": {
            "Protocol": "HTTPS",
            "Host": "#{host}",
            "Query": "#{query}",
            "Path": "/#{path}",
            "Port": "443",
            "StatusCode": "HTTP_301"
        }
    }
]

02 Run modify-listener command (OSX/Linux/UNIX) to modify the default rule configuration for the specified HTTP listener, using the configuration document defined at the previous step:

aws elbv2 modify-listener
	--region us-east-1
	--listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-web-production-alb/abcdabcdabcdabcd/abcd1234abcd1234
	--default-actions file://cc-redirect-config.json

03 The command output should return the configuration metadata of the modified load balancer listener:

{
    "Listeners": [
        {
            "Protocol": "HTTP",
            "DefaultActions": [
                {
                    "RedirectConfig": {
                        "Protocol": "HTTPS",
                        "Host": "#{host}",
                        "Query": "#{query}",
                        "Path": "/#{path}",
                        "Port": "443",
                        "StatusCode": "HTTP_301"
                    },
                    "Type": "redirect",
                    "Order": 1
                }
            ],
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd",
            "Port": 80,
            "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-web-production-alb/abcdabcdabcdabcd/abcd1234abcd1234"
        }
    ]
}

04 Run create-listener command (OSX/Linux/UNIX) to create a new HTTPS listener for the specified Amazon Application Load Balancer (ALB). If you already have an HTTPS listener with a rule that forwards requests to the load balancer target group, skip to step no. 6:

aws elbv2 create-listener
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd
	--protocol HTTPS
	--port 443
	--certificates CertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234
	--ssl-policy ELBSecurityPolicy-TLS-1-2-2017-01
	--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-production-target-group/1234abcd1234abcd

05 The command output should return the metadata available for the new HTTPS listener:

{
    "Listeners": [
        {
            "Protocol": "HTTPS",
            "DefaultActions": [
                {
                    "ForwardConfig": {
                        "TargetGroupStickinessConfig": {
                            "Enabled": false
                        },
                        "TargetGroups": [
                            {
                                "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-production-target-group/1234abcd1234abcd",
                                "Weight": 1
                            }
                        ]
                    },
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-production-target-group/1234abcd1234abcd",
                    "Type": "forward"
                }
            ],
            "SslPolicy": "ELBSecurityPolicy-TLS-1-2-2017-01",
            "Certificates": [
                {
                    "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
                }
            ],
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd",
            "Port": 443,
            "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-web-production-alb/abcdabcdabcdabcd/1234abcd1234abcd"
        }
    ]
}

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the ARN of the Amazon Application Load Balancer that you want to examine as identifier parameter and custom query filters to describe the ID of the security group associated with the selected load balancer:

aws elbv2 describe-load-balancers
	--region us-east-1
	--load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-production-alb/abcdabcdabcdabcd
	--query 'LoadBalancers[*].SecurityGroups | []'

07 The command output should return the requested security group ID:

[
    "sg-01234abcd1234abcd"
]

08 To ensure that the security group associated with your Application Load Balancer (ALB) allows traffic on TCP port 443, run authorize-security-group-ingress command (OSX/Linux/UNIX) to add a new inbound rule that permits HTTPS access (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 443
	--cidr 0.0.0.0/0

09 Repeat steps no. 1 – 8 to configure HTTP to HTTPS redirection for other Application Load Balancers (ALBs) created in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the remediation process for other regions.

References

Publication date Dec 30, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable HTTP to HTTPS Redirect for Application Load Balancers

Risk level: High