Profile Applicability:

  • Level 1

Description:

Elastic Load Balancer v2 (ELBv2) is a fully managed load balancing service that distributes incoming traffic across multiple targets like EC2 instances, containers, and IP addresses. Listeners are essential components of ELBv2, as they define how incoming requests are handled based on their protocol (HTTP, HTTPS, TCP, etc.). This SOP checks if ELBv2 (ALB or NLB) has listeners configured to ensure it is properly handling traffic.

Rationale:

  • Traffic Distribution: Listeners are responsible for routing incoming traffic to the appropriate target group. Without listeners, the load balancer cannot process or distribute traffic.

  • Security: Proper listener configuration (e.g., HTTPS listeners) ensures that traffic is encrypted and secure.

  • Compliance: Ensuring that listeners are configured for ELBv2 is important for meeting compliance requirements (e.g., PCI-DSS), especially when handling sensitive data.

Impact:

Pros:

  • Traffic Management: Proper listener configuration ensures that ALBs and NLBs can distribute traffic to targets effectively.

  • Security: Properly configured SSL/TLS listeners ensure secure data in transit.

  • Scalability: Correct listener setup allows for scaling traffic as needed.

Cons:

  • Configuration Complexity: Setting up listeners for multiple protocols or ensuring SSL/TLS settings may introduce additional complexity.

  • Operational Overhead: Misconfigured listeners may block incoming traffic or cause application downtime.

Default Value:

By default, ELBv2 (ALBs or NLBs) may not have listeners configured. Listeners must be explicitly created during or after the ELBv2 setup.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • elasticloadbalancing:DescribeListeners

  • AWS CLI installed and configured.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing under Services.

  3. In the Load Balancers section, select the Elastic Load Balancer (ALB or NLB) you want to inspect.

  4. Under the Listeners tab, check if listeners are configured.

    • If listeners are present, it will list the Protocol (HTTP, HTTPS, TCP, etc.) and the Port (80, 443, etc.).

    • If no listeners are configured, the tab will show no listeners for that ELBv2.

Using AWS CLI:

  1. To list the ELBv2 and check if it has listeners, run the following command:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application` || Type==`network`].{Name:LoadBalancerName,Listeners:ListenerDescriptions[*].Protocol}'

  2. The output will show whether the ELBv2 has listeners associated with it.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Elastic Load Balancing.

  2. In the Load Balancers section, select the Elastic Load Balancer to check.

  3. Under the Listeners tab, if no listeners are configured, click on Add Listener.

  4. Select the desired Protocol (HTTP, HTTPS, TCP) and Port (e.g., 80 for HTTP, 443 for HTTPS).

  5. Save the changes to apply the listener configuration.

Using AWS CLI:

  1. To create a listener for the ELBv2, run the following command:

    aws elbv2 create-listener \
      --load-balancer-arn <load-balancer-arn> \
      --protocol HTTP \
      --port 80 \
      --default-actions Type=fixed-response,ResponseCode=200,MessageBody="Listener Created"

  1. To verify the listeners, run:

    aws elbv2 describe-listeners --load-balancer-arn <load-balancer-arn> --query 'Listeners[*].{Protocol:Protocol,Port:Port}'

Backout Plan:

Using AWS Console:

  1. If adding or modifying listeners causes issues, sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing, select the Load Balancer, and go to the Listeners tab.

  3. Select the listener and click Delete to remove it.

  4. Save the changes and verify that the listener has been removed.

Using AWS CLI:

  1. To remove a listener, run:

    aws elbv2 delete-listener --listener-arn <LISTENER_ARN>

  2. Verify that the listener has been removed:

    aws elbv2 describe-listeners --load-balancer-arn <LOAD_BALANCER_ARN>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.