Ensure that your app-tier Amazon Classic Load Balancer listeners are using a secure protocol such as HTTPS or SSL to encrypt the communication between the clients and the load balancers. This conformity rule assumes that all the AWS cloud resources created within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Before running this rule by the Trend Micro Cloud One™ – Conformity engine, the app-tier tags must be configured in the rule settings, on your Conformity account console.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When an app-tier Classic Load Balancer has no listener configured to use secure protocols like HTTPS or SSL, the front-end connection between the application clients and the load balancer is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when the application behind the load balancer is working with sensitive data such as health and personal records, credentials, and credit card numbers.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the app tier.
Audit
To check your app-tier Classic Load Balancer listeners for secure (HTTPS/SSL) configurations, perform the following operations:
Remediation / Resolution
To secure the connection between the clients and the app-tier load balancer by using SSL encryption, update your Classic Load Balancer configuration to use listeners with HTTPS or SSL protocols. To implement HTTPS/SSL protocol for your app-tier load balancer listeners, perform the following operations:
References
- AWS Documentation
- What Is Elastic Load Balancing?
- Listeners for your Classic Load Balancer
- Configure an HTTPS listener for your Classic Load Balancer
- Update the SSL negotiation configuration of your Classic Load Balancer
- AWS Command Line Interface (CLI) Documentation
- elb
- describe-load-balancers
- describe-tags
- create-load-balancer-listeners
- list-certificates
- list-server-certificates
- CloudFormation Documentation
- AWS::ElasticLoadBalancing::LoadBalancer
- Terraform Documentation
- AWS Provider
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
App-Tier ELB Listener Security
Risk Level: High