Profile Applicability:

  • Level 2

Description:

Elastic Load Balancing (ELB) is a service that automatically distributes incoming application or network traffic across multiple targets such as EC2 instances, containers, and IP addresses. For secure communication, SSL/TLS (Secure Sockets Layer/Transport Layer Security) listeners should be configured on the load balancers to encrypt the traffic between clients and the load balancer. This SOP ensures that SSL listeners are enabled on Application Load Balancers (ALBs) or Network Load Balancers (NLBs) to protect sensitive data in transit.

Rationale:

  • Security: Enabling SSL listeners ensures that traffic between clients and the load balancer is encrypted, preventing data interception and ensuring confidentiality.

  • Compliance: Many compliance standards (e.g., PCI-DSS, SOC 2) require encryption for sensitive data in transit, including SSL/TLS encryption for web traffic.

  • Data Protection: SSL listeners help prevent man-in-the-middle attacks, ensuring the integrity and privacy of data as it travels between the client and the server.

Impact:

Pros:

  • Improved Security: SSL encryption ensures that sensitive data is protected during transit between clients and the load balancer.

  • Compliance: Helps meet regulatory requirements regarding data encryption in transit.

  • Trust: Clients and users will trust applications more if secure communication protocols like SSL/TLS are implemented.

Cons:

  • Performance Impact: SSL encryption and decryption can add a slight overhead on the load balancer and backend instances.

  • Management Overhead: Managing and rotating SSL/TLS certificates requires ongoing maintenance.

Default Value:

By default, Elastic Load Balancers may not have SSL listeners enabled unless explicitly configured. HTTP listeners are typically the default for load balancing services.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • elasticloadbalancing:DescribeListeners

    • elasticloadbalancing:CreateListener

  • AWS CLI installed and configured.

  • SSL/TLS certificate available in AWS ACM (AWS Certificate Manager) or a custom certificate to associate with the listener.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing under Services.

  3. In the Load Balancers section, select the Elastic Load Balancer.

  4. Under the Listeners tab, check the Protocol for each listener:

    • Ensure that at least one listener is configured with the HTTPS protocol, which indicates an SSL listener is enabled.

    • If there are no HTTPS listeners, the load balancer is not configured with SSL.

Using AWS CLI:

  1. To describe the Elastic Load Balancer and check the listeners, run:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application` || Type==`network`].{Name:LoadBalancerName,Listeners:ListenerDescriptions[*].Protocol}'

  2. Review the output to verify that at least one listener uses the HTTPS protocol, which indicates that SSL is enabled.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Elastic Load Balancing.

  2. In the Load Balancers section, select the Elastic Load Balancer to configure.

  3. Under the Listeners tab, if HTTPS is not already listed:

    • Click Add listener.

    • Choose HTTPS for the Protocol.

    • Select the appropriate SSL certificate from ACM (AWS Certificate Manager) or upload your own custom certificate.

  4. Click Save to enable SSL listeners.

Using AWS CLI:

  1. To create an SSL listener for an ALB or NLB, run:

    aws elbv2 create-listener \
  --load-balancer-arn <load-balancer-arn> \
  --protocol HTTPS \
  --port 443 \
  --default-actions Type=fixed-response,ResponseCode=200,MessageBody="SSL Listener" \
  --certificates CertificateArn=<certificate-arn>

  1. To verify the listener, run:

    aws elbv2 describe-listeners --load-balancer-arn <load-balancer-arn> --query 'Listeners[*].{Protocol:Protocol,Port:Port}'

Backout Plan:

Using AWS Console:

  1. If configuring SSL listeners causes issues, sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing, select the Load Balancer, and go to the Listeners tab.

  3. Select the SSL listener and click Delete to remove it.
    Save the changes and verify that the listener has been removed.

Using AWS CLI:

  1. To remove the SSL listener, run:

    aws elbv2 delete-listener --listener-arn <LISTENER_ARN>

  2. Verify that the SSL listener has been removed:

    aws elbv2 describe-listeners --load-balancer-arn <LOAD_BALANCER_ARN>


References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.