Description:
The HTTPS protocol uses the SSL protocol to establish secure connections over the HTTP layer. You can also use the SSL protocol to establish secure connections over the TCP layer.
If the front-end connection uses TCP or SSL, then your back-end connections can use either TCP or SSL. If the front-end connection uses HTTP or HTTPS, then your back-end connections can use either HTTP or HTTPS.
Rational:
If you have a load balancer with a listener that accepts HTTP requests on port 80, you can add a listener that accepts HTTPS requests on port 443. If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the SSL requests, and communication from the load balancer to the instances is not encrypted. If the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.
Impact:
If your load balancer uses an encrypted connection to communicate with instances, you can optionally enable authentication of the instances. This ensures that the load balancer communicates with an instance only if its public key matches the key that you specified to the load balancer for this purpose.
Default Value:
By default, Instance Protocol is HTTP and Instance Port is 80. If you want to set up back-end instance authentication, change the instance protocol to HTTPS (Secure HTTP).
Pre-Requisites:
To enable HTTPS support for an HTTPS listener, you must deploy an SSL server certificate on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the instances. If you do not have an SSL certificate, you can create one
Remediation:
Test Plan:
Log in to the AWS Management Console.
Navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.
In the navigation panel, under LOAD BALANCING, click Load Balancers.
Select the Elastic Load Balancer that you want to examine.
Select the Listeners tab from the bottom panel.
Under the Load Balancer Protocol column, check the protocol for each listener available. If no listener is using the HTTPS or SSL protocol, the selected ELB listeners configuration is not secure (the front-end connection is not encrypted).
- Repeat the above steps for each load balancer available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.
Using AWS CLI:
Run describe-load-balancers command to check if the ELB selected is using secure listeners (HTTPS or SSL).
aws elb describe-load-balancers --region us-east-1 --load-balancer-name xyz --query 'LoadBalancerDescriptions[*].ListenerDescriptions'
The command output should list the ELB listeners details. Check the Protocol parameter value, if there is no listener using the HTTPS or SSL protocol, the listeners configuration is not secure
Implementation Steps:
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under LOAD BALANCING, choose Load Balancers.
Select your load balancer.
On the Listeners tab, choose Edit.
On the Edit listeners page, choose Add.
In the Load Balancer Protocol dropdown list, select HTTPS (Secure HTTP) and click on the Save button.
- Delete the Listeners other than HTTPS by clicking on Remove
Using AWS CLI:
To add a listener to your load balancer that accepts HTTPS requests on port 443 and sends the requests to the instances on port 80 using HTTP
aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=ARN
To add a listener that accepts HTTPS requests on port 443 and sends the requests to the instances on port 443 using HTTPS:
aws elb create-load-balancer-listeners --region us-east-1 --load-balancer-name MyWebELB --listeners Protocol=HTTPS, LoadBalancerPort=443, InstanceProtocol=HTTP, InstancePort=443, SSLCertificateId=arn
Backout Plan:
If you want to remove the 443 port from the ELB listeners follow the above steps and then click on the Remove button and click on the Save button
Reference: