Enforce HTTPS

Risk Level: High (not acceptable risk)

Ensure that HTTPS is enabled for the load balancer associated with your Amazon Elastic Beanstalk application environment in order to handle encrypted web traffic. By default, the load balancer handles unencrypted traffic requests (HTTP) through port 80. To enable HTTPS traffic over port 443, you must create and configure an HTTPS listener for the associated load balancer.

Security

When the load balancer associated with your Amazon Elastic Beanstalk application environment is not configured to receive HTTPS requests, the connection between the clients and the load balancer is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when the web application running behind the load balancer is working with sensitive data such as health and personal records, credentials and credit card numbers. Enabling HTTPS for your application environment load balancer will ensure that the web traffic between the client and the load balancer is encrypted over SSL/TLS, and the transmitted data is secured.

Audit

To determine if your Amazon Elastic Beanstalk environment load balancers are using HTTPS, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

03 In the navigation panel, under Elastic Beanstalk, choose Environments.

04 Click on the name of the Elastic Beanstalk environment that you want to examine, available in the Environment name column.

05 In the left navigation panel, under the name of the environment, choose Configuration.

06 In the Load balancer section, choose Edit to access the listener(s) created for the associated load balancer. Each listener routes incoming client traffic on a specified port using a specified protocol to your environment processes.

07 On the load balancer configuration page, check the Listeners section for any enabled listeners with the Protocol set to HTTPS. If there are no active (enabled) HTTPS listeners available in the Listeners section, the load balancer associated with the selected Amazon Elastic Beanstalk application environment is not configured to encrypt inbound web traffic using HTTPS.

08 Repeat steps no. 4 – 7 to verify the load balancer listeners for other Amazon Elastic Beanstalk environments available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-applications command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon Elastic Beanstalk applications deployed in the selected AWS cloud region:

aws elasticbeanstalk describe-applications
  --region us-east-1
  --query 'Applications[*].ApplicationName'

02 The command output should return an array with the requested application name(s):

[
  "cc-wordpress-main-website",
  "cc-django-prod-application",
  "cc-project5-web-application"
]

03 Run describe-environments command (OSX/Linux/UNIX) using the identifier (name) of the Elastic Beanstalk application that you want to examine as the identifier parameter and custom query filters to describe the name of the Amazon Elastic Beanstalk environment created for the selected application:

aws elasticbeanstalk describe-environments
  --region us-east-1
  --application-name cc-wordpress-main-website
  --no-include-deleted
  --query 'Environments[*].EnvironmentName'

04 The command output should return the name of the requested environment:

[
  "cc-wordpress-environment"
]

05 Run describe-configuration-settings command (OSX/Linux/UNIX) to describe the protocol used by the listener(s) configured for the load balancer associated with the selected Amazon Elastic Beanstalk environment:

aws elasticbeanstalk describe-configuration-settings
  --region us-east-1
  --environment-name cc-wordpress-environment
  --application-name cc-wordpress-main-website
  --query 'ConfigurationSettings[*].OptionSettings[?(ResourceName==`AWSEBV2LoadBalancerListener`) && (OptionName==`Protocol`)].Value | []'

06 The command output should return the requested listener protocol (HTTP or HTTPS):

[
  "HTTP"
]

If the name of the protocol returned by the describe-configuration-settings command is "HTTP", as shown in the example above, the load balancer associated with the selected Amazon Elastic Beanstalk application environment is not configured to encrypt inbound web traffic using HTTPS.

07 Repeat steps no. 5 and 6 to check the load balancer listeners for other Amazon Elastic Beanstalk environments created for the selected application.

08 Repeat steps no. 3 – 7 for each Amazon Elastic Beanstalk application deployed in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To enforce HTTPS for the load balancers associated with your Amazon Elastic Beanstalk application environments, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Elastic Beanstalk console at https://console.aws.amazon.com/elasticbeanstalk/.

03 In the navigation panel, under Elastic Beanstalk, choose Environments.

04 Click on the name of the Elastic Beanstalk environment that you want to reconfigure, available in the Environment name column.

05 In the left navigation panel, under the name of the environment, choose Configuration.

06 In the Load balancer section, choose Edit to modify the configuration of the load balancer associated with the selected environment.

07 On the Modify Application Load Balancer configuration page, perform the following actions:

In the Listeners section, choose Add listener to create a new listener for the load balancer.
Inside the Application Load Balancer listener configuration window, perform the following actions:
- For Port, type 443 to set the incoming traffic port.
- Choose HTTPS from the Protocol dropdown list.
- Choose the required SSL certificate from the SSL certificate dropdown list. If you don't have one yet, request new ACM certificate.
- Select the latest security policy from the SSL policy dropdown list. This predefined security policy is an SSL negotiation configuration that the associated load balancer uses to negotiate SSL connections with clients.
- For Default process, choose the name of the process to which the listener routes traffic by default, when the message path doesn't match any custom listener rule.
- Choose Add to create and attach the HTTPS listener.
Choose Apply to save the configuration changes. Once the changes are successfully implemented, the Amazon Elastic Beanstalk environment status should change to "Environment update completed successfully.". If you configure your load balancer to forward traffic to an instance port other than port 80, you must add a rule to the environment security group that allows inbound traffic over the instance port from your load balancer. If you create your Elastic Beanstalk environment in a custom VPC, Amazon Elastic Beanstalk adds this rule for you.

08 Repeat steps no. 4 – 7 to enforce HTTPS for other Elastic Beanstalk environments available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Define the HTTPS listener configuration for your Amazon Elastic Beanstalk environment load balancer. Paste the following configuration document to a JSON file named https-listener-config.json (replace the highlighted placeholders with the corresponding information):

[
  {
    "OptionName": "DefaultProcess",
    "ResourceName": "AWSEBV2LoadBalancerListener443",
    "Namespace": "aws:elbv2:listener:443",
    "Value": "default"
  },
  {
    "OptionName": "ListenerEnabled",
    "ResourceName": "AWSEBV2LoadBalancerListener443",
    "Namespace": "aws:elbv2:listener:443",
    "Value": "true"
  },
  {
    "OptionName": "Protocol",
    "ResourceName": "AWSEBV2LoadBalancerListener443",
    "Namespace": "aws:elbv2:listener:443",
    "Value": "HTTPS"
  },
  {
    "OptionName": "Rules",
    "ResourceName": "AWSEBV2LoadBalancerListener443",
    "Namespace": "aws:elbv2:listener:443"
  },
  {
    "OptionName": "SSLCertificateArns",
    "ResourceName": "AWSEBV2LoadBalancerListener443",
    "Namespace": "aws:elbv2:listener:443",
    "Value": "<ssl-certificate-arn>"
  },
  {
    "OptionName": "SSLPolicy",
    "ResourceName": "AWSEBV2LoadBalancerListener443",
    "Namespace": "aws:elbv2:listener:443",
    "Value": "<security-policy-name>"
  }
]

02 Run update-environment command (OSX/Linux/UNIX) using the name of the Amazon Elastic Beanstalk environment that you want to reconfigure as the identifier parameter, to create an HTTPS listener for the load balancer associated with the selected application environment, using the configuration file defined at the previous step (i.e. https-listener-config.json):

aws elasticbeanstalk update-environment
  --region us-east-1
  --environment-name cc-wordpress-environment
  --application-name cc-wordpress-main-website
  --option-settings file://https-listener-config.json

03 The command output should return the metadata available for the reconfigured application environment. If you configure your load balancer to forward traffic to an instance port other than port 80, you must add a rule to the environment security group that allows inbound traffic over the instance port from your load balancer. If you create your Elastic Beanstalk environment in a custom VPC, Amazon Elastic Beanstalk adds this rule for you:

{
  "ApplicationName": "cc-wordpress-main-website",
  "EnvironmentName": "cc-wordpress-environment",
  "VersionLabel": "Wordpress Website",
  "Status": "Updating",
  "EnvironmentArn":
  "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/cc-wordpress-main-website/cc-wordpress-environment",
  "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/PHP 7.4 running on 64bit Amazon Linux 2/3.1.4",
  "EndpointURL": "awseb-AWSEB-ABCDABCDABCD-12345678.us-east-1.elb.amazonaws.com",
  "SolutionStackName": "64bit Amazon Linux 2 v3.1.4 running PHP 7.4",
  "EnvironmentId": "e-abcdabcdab",
  "CNAME": "cc-wordpress-environment.eba-abcdabcd.us-east-1.elasticbeanstalk.com",
  "AbortableOperationInProgress": true,
  "Tier": {
    "Version": "1.0",
    "Type": "Standard",
    "Name": "WebServer"
  },
  "Health": "Grey",
  "DateUpdated": "2021-01-25T10:00:00.000Z",
  "DateCreated": "2021-01-25T10:00:00.000Z"
}

04 Repeat steps no. 1 – 3 to enforce HTTPS for other Elastic Beanstalk environments deployed in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
elasticbeanstalk
describe-applications
describe-environments
describe-configuration-settings
update-environment

Publication date Feb 6, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enforce HTTPS

Risk Level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ElasticBeanstalk rules