ELBv2 ALB Listener Security

Risk Level: High (not acceptable risk)

Rule ID: ELBv2-005

Check your Application Load Balancer listeners for secure configurations. Trend Micro Cloud One™ – Conformity strongly recommends using the HTTPS (Secure HTTP) protocol to encrypt the communication between your application clients and your Amazon Application Load Balancer (ALB).

This rule can help you with the following compliance standards:

PCI
APRA
MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When an Application Load Balancer (ALB) has no HTTPS listeners, the front-end connection between the clients and the load balancer is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when your application is working with sensitive data such as health and personal records, user credentials and credit card information.

Audit

To determine if your Application Load Balancers (ALBs) are using secure listeners, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to examine.

06 Choose the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

07 Select the load balancer listener that you want to examine and choose Edit.

08 On the Edit listener page, in the Listener details section, check the protocol selected from the Protocol dropdown list to determine the listener protocol. If the selected protocol is not HTTPS, the verified listener is not secure.

09 Repeat steps no. 7 and 8 for each listener configured for the load balancer. If there are no listeners configured with the HTTPS protocol, the network connection between the application clients and the selected Application Load Balancer (ALB) is not encrypted.

10 Repeat steps no. 5 – 9 for each Application Load Balancer provisioned within the current AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Application Load Balancer available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn | []'

02 The command output should return an array with the requested load balancer ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-load-balancer/aaaabbbbccccdddd"
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the connection protocol of each listener configured for the selected load balancer:

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd
  --query 'Listeners[*].Protocol'

04 The command output should return an array with the communication protocol(s) used by the load balancer listener(s):

[
    "HTTP"
]

If the array returned by the describe-listeners command output does not contain "HTTPS", there are no listeners configured with the HTTPS protocol, therefore the network connection between the application clients and the selected Application Load Balancer (ALB) is not encrypted.

05 Repeat steps no. 3 and 4 for each Application Load Balancer provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To secure (encrypt) the connection between your application clients and your load Application Load Balancers, update the listener configuration to support the HTTPS protocol (an X.509 SSL certificate is required). To add an HTTPS listener to your Application Load Balancer, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Add HTTPS Listener to Application Load Balancer",
  "Resources": {
    "ApplicationLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties" : {
        "Name" : "cc-internet-facing-load-balancer",
        "Type" : "application",
        "Scheme" : "internet-facing",
        "IpAddressType" : "ipv4",
        "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
        "Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
      }
    },
    "HTTPSListener": {
        "Type" : "AWS::ElasticLoadBalancingV2::Listener",
        "Properties" : {
            "Protocol" : "HTTPS",
            "Port" : 443,
            "LoadBalancerArn": {
                   "Ref" : "ApplicationLoadBalancer"
            },
            "DefaultActions": [
                {
                    "Type" : "forward",
                    "TargetGroupArn" : "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd"
                }
            ],
            "SslPolicy" : "ELBSecurityPolicy-FS-1-2-Res-2020-10",
            "Certificates" : [
              {
                  "CertificateArn" : "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
              }
            ]
          }
       }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Add HTTPS Listener to Application Load Balancer
Resources:
  ApplicationLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: cc-internet-facing-load-balancer
      Type: application
      Scheme: internet-facing
      IpAddressType: ipv4
      SecurityGroups:
        - sg-0abcdabcdabcdabcd
      Subnets:
        - subnet-01234abcd1234abcd
        - subnet-0abcd1234abcd1234
  HTTPSListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      Protocol: HTTPS
      Port: 443
      LoadBalancerArn: !Ref 'ApplicationLoadBalancer'
      DefaultActions:
        - Type: forward
          TargetGroupArn: arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd
      SslPolicy: ELBSecurityPolicy-FS-1-2-Res-2020-10
      Certificates:
        - CertificateArn: arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
  name               = "cc-internet-facing-load-balancer"
  load_balancer_type = "application"
  internal           = false
  ip_address_type    = "ipv4"
  security_groups    = ["sg-0abcdabcdabcdabcd"]
  subnets            = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}

# Add HTTPS Listener to Application Load Balancer
resource "aws_lb_listener" "https-listener" {
  load_balancer_arn = aws_lb.application-load-balancer.arn
  protocol          = "HTTPS"
  port              = "443"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
  certificate_arn   = "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"

  default_action {
    type             = "forward"
    target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd"
  }
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list all the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to reconfigure.

06 Select the Listeners tab from the console bottom panel and choose Add listener.

07 On the Add listener setup page, perform the following actions:

From the Protocol dropdown list, select HTTPS.
(Optional) You can provide a custom port in the Port box.
For Default actions, select and configure the default action(s) for the traffic managed by the listener.
Choose one of the following policies from the Security policy dropdown list: ELBSecurityPolicy-FS-1-2-Res-2020-10, ELBSecurityPolicy-FS-1-2-Res-2019-08 or ELBSecurityPolicy-FS-1-2-2019-08 in order to meet security, compliance, and regulatory requirements.
For Default SSL/TLS certificate, choose one of the following options:
- Choose From ACM and select an existing SSL certificate purchased via Amazon Certificate Manager (ACM). If you haven’t purchased one yet, choose Request new ACM certificate and the AWS Management Console will redirect your request to the ACM service console where you can buy the required SSL/TLS certificate.
- Choose From IAM and select an existing SSL/TLS certificate uploaded previously to Amazon IAM.
- Choose Import and select To ACM to deploy an existing SSL certificate by pasting the required information (in PEM-encoded format) to the Certificate private key, Certificate body and Certificate chain – optional boxes, information granted by the SSL provider from which you bought the certificate.
- Choose Import and select To IAM to deploy an existing SSL certificate by pasting the required information (in PEM-encoded format) to the Certificate private key, Certificate body and Certificate chain – optional boxes, information granted by the SSL provider from which you bought the certificate. Once the necessary keys are validated, enter a name for the new certificate in the Certificate name box.
Choose Add to create the secure listener, then select View listeners to return to the Amazon EC2 console.

08 Repeat steps no. 5 – 7 for each Application Load Balancer that you want to reconfigure, available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Get the Amazon Resource Name (ARN) available for your SSL certificate purchased via Amazon ACM or uploaded to Amazon IAM:

Run list-certificates command (OSX/Linux/UNIX) to list the ARNs of the SSL certificates purchased using Amazon ACM service:
```
aws acm list-certificates
  --region us-east-1
  --query 'CertificateSummaryList[*].CertificateArn'
```

The command output should return the requested Amazon Resource Names (ARNs):

[
   "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-cccc-dddd-eeee-123456789012"
]

Run list-server-certificates command (OSX/Linux/UNIX) to list the ARNs of the SSL certificates managed by Amazon IAM service:
```
aws iam list-server-certificates
  --region us-east-1
  --query 'ServerCertificateMetadataList[*].Arn'
```

The command output should return the requested SSL certificate ARN(s):

[
   "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
]

02 Run create-listener command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the SSL certificate that you want to use as the identifier parameter to create a HTTPS (secure) listener for the selected Application Load Balancer (ALB):

aws elbv2 create-listener
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd
  --protocol HTTPS
  --port 443
  --ssl-policy ELBSecurityPolicy-FS-1-2-Res-2020-10
  --certificates CertificateArn="arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd

03 The command output should return the configuration information available for the new HTTPS listener:

{
    "Listeners": [
        {
            "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd/0abcd1234abcd1234",
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
            "Port": 443,
            "Protocol": "HTTPS",
            "Certificates": [
                {
                    "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
                }
            ],
            "SslPolicy": "ELBSecurityPolicy-FS-1-2-Res-2020-10",
            "DefaultActions": [
                {
                    "Type": "forward",
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/abcd1234abcd1234",
                    "ForwardConfig": {
                        "TargetGroups": [
                            {
                                "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/abcd1234abcd1234",
                                "Weight": 1
                            }
                        ],
                        "TargetGroupStickinessConfig": {
                            "Enabled": false
                        }
                    }
                }
            ]
        }
    ]
}

04 Repeat steps no. 1 – 3 for each Application Load Balancer that you want to reconfigure, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
elbv2
describe-load-balancers
describe-listeners
create-listener
list-certificates
list-server-certificates

CloudFormation Documentation
Elastic Load Balancing V2 resource type reference

Terraform Documentation
AWS Provider

Publication date Feb 5, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

ELBv2 ALB Listener Security

Risk Level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related ELBv2 rules