Ensure that your Amazon Network Load Balancers (NLBs) are configured to terminate TLS traffic in order to optimize the performance of the backend servers while encrypting the communication between the load balancer and the associated targets (i.e. servers).
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
With Transport Layer Security (TLS) termination enabled, you can offload the encryption and decryption of TLS traffic from your backend application servers to your AWS Network Load Balancer, enhancing your backend servers performance while keeping the workload secure. Also, by using built-in security policies with optimal TLS versions and ciphers, the application or service behind your Network Load Balancer can achieve PCI and FedRAMP compliance.
To determine if your AWS Network Load Balancers (NLBs) are using TLS termination, perform the following actions:
Remediation / Resolution
To enable Transport Layer Security (TLS) termination for your AWS Network Load Balancers, update their listeners configuration to support the TLS protocol (an X.509 SSL certificate is required). To add a TLS listener to your Amazon NLB, perform the following actions:
- AWS Documentation
- Elastic Load Balancing FAQs
- Listeners for Your Network Load Balancers
- TLS Listeners for Your Network Load Balancer
- Update a Listener for Your Network Load Balancer
- Target Groups for Your Network Load Balancers
- AWS Command Line Interface (CLI) Documentation
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
ELBv2 NLB Listener Security
Risk level: High