ELBv2 ALB Listener Security

Risk level: High (not acceptable risk)

Rule ID: ELBv2-005

Check your Amazon Application Load Balancer listeners for secure configurations. Cloud Conformity strongly recommends using the HTTPS (Secure HTTP) protocol to encrypt the communication between the application clients and the ELBv2 load balancer.

This rule can help you with the following compliance standards:

Payment Card Industry Data Security Standard (PCI DSS)
APRA
MAS

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When an AWS ALB has no HTTPS listeners, the front-end connection between the clients and the load balancer is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when working with sensitive data such as health and personal records, credentials and credit card numbers.

Audit

To determine if your ELBv2 load balancers are using secure listeners, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the Application Load Balancer that you want to examine.

05 Select the Listeners tab from the bottom panel to access the load balancer listeners. Now check the protocol for each listener available within the ELBv2 listeners list. If there is no listener using the HTTPS protocol, the listeners configuration for the selected AWS Application Load Balancer is not secure, therefore the front-end connection between the clients and the load balancer is not encrypted.

06 Repeat step no. 4 and 5 for each AWS ALBs provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of all your Application Load Balancers available within the selected region:

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn | []'

02 The command output should return an array with the requested ARN(s):

[
 
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-prod-alb/aaaabbbbccccdddd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-prod-alb/aaaabbbbccccdddd"
 
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the ALB that you want to examine as identifier and custom query filters to describe the protocol of each listener used by the selected load balancer:

aws elbv2 describe-listeners
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-prod-alb/aaaabbbbccccdddd
	--query 'Listeners[*].Protocol'

04 The command output should return an array that contains the connection protocols used by the load balancer listeners:

[
    "HTTP"
]

If the array returned by the describe-listeners command output does not contain "HTTPS", there is no listener using the HTTPS protocol, therefore the listeners configuration used by the selected AWS Application Load Balancer is not secure.

05 Repeat step no. 3 and 4 for each AWS Application Load Balancers provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To secure (encrypt) the connection between your application clients and your load balancers, update AWS ALBs listeners configuration to support the HTTPS protocol (an X.509 SSL certificate is required). To add an HTTPS listener to your Application Load Balancers, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the AWS ALB that you want to reconfigure (see Audit section part I to identify the right resource).

05 Choose the Listeners tab from the bottom panel and click Add listener to add a new entry.

06 Within Create Listener dialog box, perform the following actions:

From the Protocol dropdown list, select HTTPS (Secure HTTP).
From the Default target group dropdown list, select the target group associated with the specified ELBv2 load balancer.
For the Certificate type, within Select default certificate section, choose one of the following options:
- Choose a certificate from ACM (recommended) - to use an existing SSL certificate purchased via AWS Certificate Manager (ACM). If you haven’t purchased yet any SSL certificates you can click Request a new certificate from ACM link and AWS will redirect your request to the ACM service dashboard where you can buy the required certificate.
- Upload a certificate to ACM (recommended) - deploy an existing SSL certificate by pasting the required information (in PEM-encoded format) to the Private Key, Certificate Body and Certificate chain boxes, information granted by the SSL provider from which you bought the certificate.
- Choose a certificate from IAM - to use an existing SSL certificate uploaded previously to AWS IAM using the ELBv2 dashboard. Select the existing certificate name from the Certificate name dropdown list.
- Upload a certificate to IAM - deploy an existing SSL certificate by pasting the required information (in PEM-encoded format) to the Private Key, Certificate Body and Certificate chain boxes, information granted by the SSL provider from which you bought the certificate. Once the necessary keys are validated, enter a name for the new certificate in the Certificate name box.
In the Select Security Policy section, select one of the following policies from the Security policy dropdown list: ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01. Cloud Conformity recommends ELBSecurityPolicy-2016-08 policy for general use and ELBSecurityPolicy-TLS-1-2-2017-01, ELBSecurityPolicy-TLS-1-1-2017-01 policies to meet certain compliance and security standards.
Click Create to install the secure listener and return to the ELBv2 dashboard.

07 Repeat steps no. 4 – 6 to update the listeners configuration for other AWS Application Load Balancers available in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Get the necessary ARN for your SSL certificate purchased via AWS Certificate Manager (ACM) or uploaded to AWS Identity and Access Management (IAM):

Run list-certificates command (OSX/Linux/UNIX) to list the ARN(s) of the SSL certificate(s) purchased from AWS ACM:
```
aws acm list-certificates
	--region us-east-1
	--query 'CertificateSummaryList[*].CertificateArn'
```

The command output should return the requested ARN(s):

[
   "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-cccc-dddd-eeee-123456789012"
 
]

Run list-server-certificates command (OSX/Linux/UNIX) to list the ARN(s) of the SSL certificate(s) available within AWS IAM:
```
aws iam list-server-certificates
	--region us-east-1
	--query 'ServerCertificateMetadataList[*].Arn'
```

The command output should return the requested SSL certificate ARN(s):

[
   "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
 
]

02 Run create-listener command (OSX/Linux/UNIX) using the ARN of the SSL certificate returned at the previous step as parameter to create a HTTPS (secure) listener for the selected AWS Application Load Balancer:

aws elbv2 create-listener
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-prod-alb/aaaabbbbccccdddd
	--protocol HTTPS
	--port 443
	--ssl-policy ELBSecurityPolicy-2016-08
	--certificates CertificateArn="arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate",IsDefault=true
	--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-alb-tg/aaaabbbbccccdddd

03 The command output should return the new HTTPS listener metadata:

{
    "Listeners": [
        {
            "Protocol": "HTTPS",
            "DefaultActions": [
                {
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-alb-tg/aaaabbbbccccdddd",
                    "Type": "forward"
                }
            ],
            "SslPolicy": "ELBSecurityPolicy-2016-08",
            "Certificates": [
                {
                    "CertificateArn": "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
                }
            ],
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-web-prod-alb/aaaabbbbccccdddd",
            "Port": 443,
            "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-web-prod-alb/aaaabbbbccccdddd/1234aaaa1234bbbb"
        }
    ]
}

04 Repeat steps no. 1 – 3 to add the necessary HTTPS listener to other AWS Application Load Balancers available in the current region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 4 to perform the entire process for other regions.

References

AWS Command Line Interface (CLI) Documentation
elbv2
describe-load-balancers
describe-listeners
create-listener
list-certificates
list-server-certificates

Publication date Feb 5, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

ELBv2 ALB Listener Security

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ELBv2 rules