Open menu

AWS NLB (ELBv2) Listener Security

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial
Knowledge Base Best practice rules for Amazon Web Services AWS ELBv2 Best Practices AWS NLB (ELBv2) Listener Security
Security
Risk level: High (not acceptable risk)

Ensure that your Amazon Network Load Balancers (NLBs) are configured to terminate TLS traffic in order to optimize the performance of the backend servers while encrypting the communication between the load balancer and the associated targets (i.e. servers).

With Transport Layer Security (TLS) termination enabled, you can offload the encryption and decryption of TLS traffic from your backend application servers to your AWS Network Load Balancer, enhancing your backend servers performance while keeping the workload secure. Also, by using built-in security policies with optimal TLS versions and ciphers, the application or service behind your Network Load Balancer can achieve PCI and FedRAMP compliance.

Audit

To determine if your AWS Network Load Balancers (NLBs) are using TLS termination, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Set the Type attribute to network within the filter box to list the Network Load Balancers only.

05 Select the Network Load Balancer that you want to examine.

06 Select the Listeners tab from the bottom panel to access the load balancer listeners, then check the protocol used by each listener available in the NLB listeners list. If there is no listener configured with the TLS protocol, the selected Amazon Network Load Balancer is not using TLS termination, therefore the listeners configuration is not secure.

07 Repeat step no. 5 and 6 for each Network Load Balancer (NLB) provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Network Load Balancers available in the selected AWS region: 

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[?(Type == `network`)].LoadBalancerArn | []'

02 The command output should return an array with the requested ARN(s): 

[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-project5-load-balancer/abcdabcdabcdabcd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/aabbccddaabbccdd"
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the AWS NLB that you want to examine as identifier and custom query filters to describe the protocol of each listener used by the selected load balancer: 

aws elbv2 describe-listeners
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-project5-load-balancer/abcdabcdabcdabcd
	--query 'Listeners[*].Protocol'

04 The command output should return an array that contains the connection protocols used by the load balancer listeners: 

[
    "TCP"
]

If the array returned by the describe-listeners command output does not contain "TLS", there are no secure (TLS) listeners configured for the resource, therefore the selected Amazon Network Load Balancer is not using TLS termination.

05 Repeat step no. 3 and 4 for each AWS Network Load Balancer (NLB) available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable Transport Layer Security (TLS) termination for your AWS Network Load Balancers, update their listeners configuration to support the TLS protocol (an X.509 SSL certificate is required). To add a TLS listener to your Amazon NLB, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Set the Type attribute to network inside the filter box to return the Network Load Balancers only.

05 Select the Network Load Balancer that you want to reconfigure (see Audit section part I to identify the right resource).

06 Choose the Listeners tab from the bottom panel and click Add listener to add a new entry.

07 On the Add Listener panel, perform the following:

  1. From the Protocol dropdown list, select TLS. You can use the default port (i.e. 443) or you can enter a custom port number from which to listen to for traffic.
  2. For Default action(s), click + Add action, choose Forward to option and select the target group associated with the selected load balancer.
  3. From Security policy dropdown list, select one of the following policies, depending on your application/service requirements or the required compliance and security standards: ELBSecurityPolicy-TLS-1-2-2017-01, ELBSecurityPolicy-TLS-1-1-2017-01, ELBSecurityPolicy-FS-2018-06 or ELBSecurityPolicy-TLS-1-2-Ext-2018-06.
  4. From Default SSL certificate dropdown list, choose one of the following options:
    • From ACM (recommended) - to use an existing SSL certificate purchased via AWS Certificate Manager (ACM). If you haven’t purchased yet any SSL certificates you can click Request new ACM certificate link and AWS will redirect your request to the ACM service dashboard where you can buy the required certificate.
    • From IAM - to use an existing SSL certificate uploaded previously to AWS Identity and Access Management (IAM) using the ELBv2 dashboard. Select the existing certificate name from the Select one dropdown list.
    • Import - deploy an existing SSL certificate by providing the required information (in PEM-encoded format) to the Certificate private key, Certificate body and Certificate chain boxes, information granted by the SSL provider from which you bought the certificate. Once the necessary keys are validated, enter a name for the new certificate in the Certificate name box if you select IAM to manage your newly imported SSL certificate.
  5. Click Save to apply the changes and add the secure listener to the selected load balancer.
  6. Click < (back button) to return to the Load Balancers dashboard.

08 Repeat steps no. 5 – 7 to update the listeners configuration for other AWS Network Load Balancers available in the current region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Get the necessary ARN for your SSL certificate purchased via AWS Certificate Manager (ACM) or uploaded to AWS Identity and Access Management (IAM):

  1. Run list-certificates command (OSX/Linux/UNIX) to list the ARN(s) of the SSL certificate(s) purchased from Amazon ACM: 
    aws acm list-certificates
	--region us-east-1
	--query 'CertificateSummaryList[*].CertificateArn'
  2. The command output should return the requested ARN(s): 
    [
"arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-cccc-dddd-eeee-123412341234"
]
  3. Run list-server-certificates command (OSX/Linux/UNIX) to list the ARN(s) of the SSL certificate(s) managed by AWS IAM: 
    aws iam list-server-certificates
	--region us-east-1
	--query 'ServerCertificateMetadataList[*].Arn'
  4. The command output should return the requested SSL certificate ARN(s): 
    [
"arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
]

02 Run create-listener command (OSX/Linux/UNIX) using the ARN of the SSL certificate returned at the previous step as parameter to create a TLS secure listener for the selected Amazon Network Load Balancer (NLB): 

aws elbv2 create-listener
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-project5-load-balancer/abcdabcdabcdabcd
	--protocol TLS
	--port 443
	--ssl-policy ELBSecurityPolicy-TLS-1-2-2017-01
	--certificates CertificateArn="arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
	--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/1111222233334444

03 The command output should return the new TLS listener metadata: 

{
    "Listeners": [
        {
            "Protocol": "TLS",
            "DefaultActions": [
                {
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/1111222233334444",
                    "Type": "forward"
                }
            ],
            "SslPolicy": "ELBSecurityPolicy-TLS-1-2-2017-01",
            "Certificates": [
                {
                    "CertificateArn": "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
                }
            ],
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-project5-load-balancer/abcdabcdabcdabcd",
            "Port": 443,
            "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-project5-load-balancer/abcdabcdabcdabcd/1122334411223344"
        }
    ]
}

04 Repeat steps no. 1 – 3 to update the listeners configuration for other Amazon Network Load Balancers available in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire process for other regions.

References

Publication date Feb 10, 2019

Related ELBv2 rules

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to