Description:
AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications. You can provide certificates for your integrated ACM services either by issuing them directly with ACM or by importing third-party certificates into the ACM management system. ACM certificates can secure singular domain names, multiple specific domain names, wildcard domains, or combinations of these. ACM wildcard certificates can protect an unlimited number of subdomains. You can also export ACM certificates signed by ACM Private CA for use anywhere in your internal PKI.
Rationale:
Checks if the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. This rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
Impact:
When an ELB has any listeners that are not configured to use a secure protocol, such as HTTPS or SSL, the front-end connection between the client and the load balancer is vulnerable to eavesdropping and man-in-the-middle (MITM) attacks. The risk becomes even higher when transmitting sensitive private data such as credit card numbers. If your ELBs are using insecure listeners, such as HTTP, apply the information provided in this guide (see Remediation) to update their configuration.
Default Value:
When you create an HTTPS listener, you must specify exactly one certificate This certificate is known as the default certificate . You can replace the default certificate after you create the HTTPS listener
Pre-Requisite:
- SSL certificate is required.
- Update each ELB configuration to use listeners with HTTPS or SSL protocols
Remediation
Test Plan
- Login to the AWS Management Console.
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- In the navigation panel, under LOAD BALANCING, click Load Balancers.
- Select the Elastic Load Balancer that you want to examine.
- Select the Listeners tab from the bottom panel.
- Under Load Balancer Protocol column, check the protocol for each listener available. If there is no listener using the HTTPS or SSL protocol, the selected ELB listeners configuration is not secure (the front-end connection is not encrypted).
Using AWS CLI:
To describe the load balancer
aws elb describe-load-balancers --region us-east-1 --load-balancer-name MyWebELB --query 'LoadBalancerDescriptions[*].ListenerDescriptions'
Implementation Steps:
- Login to the AWS Management Console.
- Navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.
- In the navigation panel, under LOAD BALANCING, click Load Balancers.
- Select the Elastic Load Balancer that you want to examine.
- Select the Listenerstab from the bottom panel
- Click Add Listeners to add a new entry.
- In the Load Balancer Protocol dropdown list, select HTTPS (Secure HTTP).
- Under the SSL Certificate column, click Change and select one of the following options:
- Choose an existing certificate from AWS Certificate Manager (ACM) - to use an existing SSL certificate purchased via AWS Certificate Manager. If you haven’t purchased any SSL certificates you can click Request a new ACM certificate link and AWS will redirect your request to the ACM dashboard where you can buy the certificate.
- Choose an existing certificate from AWS Identity and Access Management (IAM) - to use an existing SSL certificate uploaded previously to AWS IAM through the ELB dashboard. Select the certificate name from the Certificate dropdown list:
- Upload a new SSL certificate to AWS Identity and Access Management (IAM) - deploy an SSL certificate purchased by entering the required information:
- granted by the SSL provider from which you bought the certificate.
- Click add to apply the selected SSL certificate.
Using AWS CLI:
To add the https listeners
aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer --listeners "Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80"
Back out Plan:
- Login to the AWS Management Console.
- Navigate to the EC2 dashboard
- In the navigation panel, under LOAD BALANCING,
- click on Load Balancers you want to examine
- Click on Listeners
- select the listeners you want to Remove
- Click on remove
Using AWS CLI:
To remove the listeners
aws eld delete-load-balancer-listeners --load-balancer-name <value> --load-balancer-ports <value>
Reference:
What is Elastic Load Balancing? - Elastic Load Balancing
Create an HTTPS listener for your Application Load Balancer - Elastic Load Balancing