Profile Applicability:

  • Level 2

Description:

When using Classic Load Balancers (CLB) with SSL/HTTPS listeners, it is recommended to use AWS Certificate Manager (ACM) to provision and manage SSL/TLS certificates. ACM provides automatic renewal, centralized management, and integration with AWS services, ensuring the highest security standards for SSL/TLS certificates.

Using ACM reduces the risks associated with managing certificates manually, such as expired certificates or incorrect configurations.

Rationale:

  • Automatic Certificate Renewal: ACM automatically renews certificates, reducing the risk of downtime due to expired certificates.

  • Improved Security: ACM certificates are issued by trusted Certificate Authorities (CAs) and meet stringent security standards.

  • Simplified Management: Certificates are centrally managed and integrated with AWS services, streamlining deployments and updates.

  • Compliance: Ensures compliance with security policies and industry standards.

Impact:

  • Pros:

    • Simplifies certificate management.

    • Ensures automatic certificate renewals, reducing manual effort.

    • Enhances security by using ACM-provided, trusted certificates.

  • Cons:

    • Migrating from manually uploaded certificates to ACM may require downtime if not carefully planned.

    • ACM only supports public certificates for domain names validated through DNS or email.

Default Value:

  • By default, Classic Load Balancers allow using both ACM-managed and manually uploaded certificates for SSL/HTTPS listeners.

Pre-Requisite:

  • IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • elasticloadbalancing:DescribeLoadBalancerListeners

    • acm:ListCertificates

    • acm:DescribeCertificate

  • AWS CLI installed and configured

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 Dashboard → Load Balancers.

                       

  1. Select Classic Load Balancers from the left-hand panel.

                     

  1. For each Classic Load Balancer with HTTPS/SSL listeners:

    • Go to the Listeners tab.

    • Check the SSL Certificate column.

             

Ensure the certificate ARN starts with:

arn:aws:acm:<region>:<account-id>:certificate/

  • Pass: If the certificate is managed by ACM.

  • Fail: If the certificate is uploaded manually and starts with:

arn:aws:iam::<account-id>:server-certificate/
Using AWS CLI:

List Classic Load Balancers:

 aws elb describe-load-balancers --region <region> --query 'LoadBalancerDescriptions[*].[LoadBalancerName]' --output table
Check SSL Listeners and Certificate Source:
aws elb describe-load-balancers --region <region> --query 'LoadBalancerDescriptions[*].{Name:LoadBalancerName,Listeners:ListenerDescriptions[*].Listener}' --output json

Identify Listeners Using HTTPS/SSL:

  • In the command output, locate listeners using HTTPS (port 443) or SSL (port 443).

Check Certificate Source:

aws elb describe-load-balancer-listeners --load-balancer-name <clb-name> --region <region> --query 'ListenerDescriptions[*].Listener.{Protocol:Protocol,SSLCertificateId:SSLCertificateId}'

Expected Output (Pass):

 {
    "Protocol": "HTTPS",
    "SSLCertificateId": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
}
Fail Output (Manual Certificate):
 {
    "Protocol": "HTTPS",
    "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-ssl-cert"
}


Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Navigate to EC2 Dashboard → Load Balancers.

  3. Select the Classic Load Balancer you want to modify.

  4. Go to the Listeners tab.

  5. For each HTTPS/SSL listener:

    • Click Edit on the listener.

 

  • Choose Change SSL Certificate.

  • Select an ACM-managed certificate from the dropdown or Request a New ACM Certificate.

  • Apply changes.

  1. Test the updated listener to ensure proper SSL/TLS functionality.

Using AWS CLI:

Request or Import ACM Certificate (if needed):

aws acm request-certificate --domain-name example.com --validation-method DNS --region <region>

Update Classic Load Balancer Listener with ACM Certificate:

aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name <clb-name> --load-balancer-port 443 --ssl-certificate-id arn:aws:acm:<region>:<account-id>:certificate/<certificate-id>


Verify Listener Update:

aws elb describe-load-balancer-listeners --load-balancer-name <clb-name> --region <region> --query 'ListenerDescriptions[*].Listener.{Protocol:Protocol,SSLCertificateId:SSLCertificateId}'


Backout Plan:

If switching to an ACM certificate causes issues:

Using AWS Console:

  • Navigate to EC2 Dashboard → Load Balancers.

  • Select the Classic Load Balancer.

                             

  • In the Listeners tab, click Edit on the HTTPS/SSL listener.

  • Revert to the previously used IAM certificate.

  • Save changes.

   

Using AWS CLI:
 aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name <clb-name> --load-balancer-port 443 --ssl-certificate-id arn:aws:iam::<account-id>:server-certificate/old-cert

References:

  1. AWS ACM Documentation

  2. AWS ELB SSL Certificate Guide

  3. AWS CLI - ELB Commands

CIS Controls:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

10.4

Use Strong Encryption Algorithms –  Ensure strong encryption algorithms for data in transit and at rest.

v8

4.8

Manage Encryption Keys – Implement key management practices for secure encryption.

v7

13.1

Protect Data in Transit – Encrypt sensitive data when transmitted over networks.