Description:
An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply and then selects a target from the target group for the rule action.
Rationale:
It operates at the request level (layer 7), routing traffic to targets (EC2 instances, containers, IP addresses, and Lambda functions) based on the content of the request. Ideal for advanced load balancing of HTTP and HTTPS traffic, Application Load Balancer provides advanced request routing targeted at delivery of modern application architectures, including microservices and container-based applications. Application Load Balancer simplifies and improves the security of your application.
Checks if HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured. The rule is also NON_COMPLIANT if one or more HTTP listeners have forwarded to an HTTP listener instead of redirection. It is supported in all regions except Asia Pacific (Osaka), Europe (Milan), Africa (Cape Town)
Impact:
If HTTPS redirection is enabled in the Application Load Balancer attackers never know our services work on which port. Information gathering is not easy for unauthorized attackers.
Default Value:
By Default redirection is not enabled for ALB HTTPS forwarding is enabled.
Pre-Requisite:
Before implementation, you have at least an Application Load Balancer in your AWS account.
If you have multiple Load Balancers classic and application both make sure to implement only in the application load balancer.
Remediation:
Test Plan:
Step 1: Log in to AWS Management Console and go to EC2 at https://console.aws.amazon.com/ec2
Step 2: In EC2 Dashboard Scroll down and go to Load Balancing in the left navigation pane.
Step 3: Click on Load Balancers
Step 4: To audit select your Application Load Balancer
Step 5: Go to the Listener tab of the selected Load Balancer
Step 6: In this tab, you can see HTTPS redirection is enabled or not
In the rules, column redirection is not enabled.
To describe the rules for a listener
aws elbv2 describe-rules \
--listener-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:\
listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2
Implementation Steps:
Step 1: Log in to AWS Management Console and go to EC2 at https://console.aws.amazon.com/ec2
Step 2: In EC2 Dashboard Scroll down and go to Load Balancing in the left navigation pane.
Step 3: Click on Load Balancers
Step 4: To enable drop invalid HTTP header select your Load Balancer
Step 5: In the Listener tab of selected Load Balancer if any rules contain in your ALB select rules and click on Edit rules
Step 6: To Edit Click on the Edit rule button
Note:- If you want new rules for your ALb click on add button and then click on Insert rule
Step 7: Click on the edit button in the rule
Step 8: In the column “Then” delete your previous rules
Step 9: Add a new rule by clicking on Add action button Select Redirect to option
Step 10: Select your protocol to redirect and give the original port number of the particular protocol select all other two options as per your organization policy and then click the tick button to save your configuration
Step 11: Click on the Update button to update your rules in your Application Load Balancer
Using AWS CLI:
To modify rule
aws elbv2 modify-rule \
--actions Type=redirect,TargetGroupArn=arn:aws:elasticloadbalancing:<region>:<account_id>:targetgroup/<name of target group>/73e2d6bc24d8a067 \
--conditions Field=path-pattern,Values='/images/*'
--rule-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:listener-rule/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2/9683b2d02a6cabee
Note: above syntax is only dummy edit and then execute it,
JSON syntax
[
{
"Field": "string",
"Values": ["string", ...],
"HostHeaderConfig": {
"Values": ["string", ...]
},
"PathPatternConfig": {
"Values": ["string", ...]
},
"HttpHeaderConfig": {
"HttpHeaderName": "string",
"Values": ["string", ...]
},
"QueryStringConfig": {
"Values": [
{
"Key": "string",
"Value": "string"
}
...
]
},
"HttpRequestMethodConfig": {
"Values": ["string", ...]
},
"SourceIpConfig": {
"Values": ["string", ...]
}
}
...
]
Backout Plan:
After editing the rules in Application Load Balancer if you have any problem then reconfigure the rule follow the implementation steps and modify your rule as per audit.
Reference:
What is an Application Load Balancer? - Elastic Load Balancing
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html
https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/
https://docs.aws.amazon.com/config/latest/developerguide/alb-http-to-https-redirection-check.html
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html