Profile Applicability:

  • Level 2

Description:

Network Load Balancer (NLB) is a highly scalable and low-latency load balancing service in AWS that operates at the network layer (Layer 4) of the OSI model. TLS termination refers to decrypting incoming TLS/SSL traffic at the load balancer, which offloads the decryption work from backend instances. This SOP ensures that NLB is configured with TLS termination, which helps in securing data in transit and offloading the encryption/decryption process from the backend servers.

Rationale:

  • Security: TLS termination at the NLB ensures that traffic between clients and the load balancer is encrypted, providing confidentiality and integrity of data during transit.

  • Performance: Offloading the decryption process to the NLB reduces the load on backend servers, improving their performance by freeing up resources for application logic.

  • Compliance: Many compliance frameworks such as PCI-DSS, SOC 2, and HIPAA require secure communication for sensitive data. Enabling TLS termination ensures compliance with these regulations.

Impact:

Pros:

  • Secure Communication: Encrypts traffic from the client to the load balancer, ensuring data security.

  • Offloading Decryption: Reduces the decryption workload on backend servers, improving application performance.

  • Compliance: Meets industry compliance requirements for data security in transit.

Cons:

  • Configuration Complexity: Configuring TLS termination requires a valid SSL/TLS certificate, which requires management and periodic renewal.

  • Single Point of Decryption: The NLB becomes a single point of failure for encryption/decryption, so proper redundancy and backup of certificates are necessary.

Default Value:

By default, Network Load Balancers (NLB) do not have TLS termination enabled unless explicitly configured.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • elasticloadbalancing:DescribeListeners

    • elasticloadbalancing:CreateListener

  • AWS CLI installed and configured.

  • A valid SSL/TLS certificate available in AWS Certificate Manager (ACM) or a custom certificate to associate with the listener.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing under Services.

  3. In the Load Balancers section, select the Network Load Balancer (NLB) you want to check.

  4. Under the Listeners tab, verify if a TLS listener is configured:

    • If a TLS listener is configured, TLS termination is enabled, and the certificate used for the TLS handshake will be listed.

    • If no TLS listener is present, then TLS termination is not enabled.

Using AWS CLI:

  1. To list the NLB listeners and check for TLS termination, run:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`network`].{Name:LoadBalancerName,Listeners:ListenerDescriptions[*].Protocol}'

  2. If the Protocol field for any listener shows TLS, then TLS termination is enabled.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Elastic Load Balancing.

  2. In the Load Balancers section, select the Network Load Balancer (NLB) to configure.

  3. Under the Listeners tab, click Add Listener.

  4. Choose TLS as the Protocol.

  5. Select the SSL/TLS certificate from AWS ACM or upload your own custom certificate.

  6. Save the listener configuration to enable TLS termination.

Using AWS CLI:

  1. To create a TLS listener for the NLB, run:

    aws elbv2 create-listener \
  --load-balancer-arn <load-balancer-arn> \
  --protocol TLS \
  --port 443 \
  --default-actions Type=fixed-response,ResponseCode=200,MessageBody="TLS Termination"
  --certificates CertificateArn=<certificate-arn>

  1. To verify if TLS termination is enabled, run:

    aws elbv2 describe-listeners --load-balancer-arn <load-balancer-arn> --query 'Listeners[*].{Protocol:Protocol,Port:Port}'

Backout Plan:

Using AWS Console:

  1. If configuring TLS termination causes issues, sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing, select the Load Balancer, and go to the Listeners tab.
    Select the TLS listener and click Delete to remove it.

  3. Save the changes and verify that TLS termination is no longer enabled.

Using AWS CLI:

  1. To remove the TLS listener, run:

    aws elbv2 delete-listener --listener-arn <LISTENER_ARN>

  2. Verify that the TLS listener has been removed:

    aws elbv2 describe-listeners --load-balancer-arn <LOAD_BALANCER_ARN>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.