Ensure that your Amazon Network Load Balancers (NLBs) are configured to terminate TLS traffic in order to optimize the performance of the backend servers while encrypting the communication between the load balancer and the associated targets (i.e. servers).
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
With Transport Layer Security (TLS) termination enabled, you can offload the encryption and decryption of TLS traffic from your backend application servers to your AWS Network Load Balancer, enhancing your backend servers performance while keeping the workload secure. Also, by using built-in security policies with optimal TLS versions and ciphers, the application or service behind your Network Load Balancer can achieve PCI and FedRAMP compliance.
Audit
To determine if your AWS Network Load Balancers (NLBs) are using TLS termination, perform the following actions:
Remediation / Resolution
To enable Transport Layer Security (TLS) termination for your AWS Network Load Balancers, update their listeners configuration to support the TLS protocol (an X.509 SSL certificate is required). To add a TLS listener to your Amazon NLB, perform the following actions:
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Listeners for Your Network Load Balancers
- TLS Listeners for Your Network Load Balancer
- Update a Listener for Your Network Load Balancer
- Target Groups for Your Network Load Balancers
- AWS Command Line Interface (CLI) Documentation
- elbv2
- describe-load-balancers
- describe-listeners
- create-listener
- acm
- list-certificates
- iam
- list-server-certificates
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
ELBv2 NLB Listener Security
Risk level: High