Profile Applicability:

Level 1

Description:

Enabling HTTPS on an AWS Elastic Load Balancer (ELB) ensures that all traffic to and from your resources is encrypted, which is crucial for protecting data in transit. By enabling HTTPS, you ensure that sensitive data, such as login credentials, financial transactions, and personal information, is securely transmitted over the network.

Rationale:

HTTPS provides encryption using SSL/TLS, preventing data from being intercepted or tampered with by malicious actors. It is essential for protecting user privacy, maintaining data integrity, and complying with security standards. Enabling HTTPS on your load balancer ensures that all clients interacting with your application use secure connections.

Impact:

Pros:

  • Enhanced Security: Encrypts all traffic between clients and your load balancer, ensuring confidentiality and integrity.

  • Compliance: Meets security standards and regulations such as PCI DSS, HIPAA, and GDPR, which require the use of encrypted connections.

  • Trust: Helps build trust with your users by ensuring that their data is transmitted securely.

Cons

  • Configuration Complexity: Setting up SSL/TLS certificates requires proper management of certificates and keys.

  • Performance Overhead: Enabling HTTPS introduces a small performance overhead due to the encryption and decryption process.

Default Value:

By default, an AWS Elastic Load Balancer may not have HTTPS enabled and may only use HTTP. You must configure HTTPS by setting up an SSL certificate.

Pre-requisites:

  • SSL/TLS Certificate to configure HTTPS.

  • IAM permissions to manage load balancer configurations and SSL certificates.

  • Access to AWS Certificate Manager (ACM) or a third-party certificate provider to issue the SSL certificate.

Remediation:

Test Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to EC2 and select Load Balancers under Load Balancing.

  3. Choose the load balancer that you want to configure.

  4. Under the Listeners tab, check for an existing HTTPS listener. If there is no HTTPS listener, click Add listener.

  5. Select HTTPS as the protocol and choose the SSL certificate from AWS Certificate Manager (ACM) or upload your own certificate.

  6. Configure the security settings, such as SSL policy, and specify the default action (e.g., forwarding to a target group).

  7. Save the configuration and verify that the load balancer now handles HTTPS traffic.

  8. Test the configuration by accessing your load balancer’s DNS name over HTTPS (e.g., https://<load-balancer-dns-name>).

Using AWS CLI:

  1. List the existing load balancers: 

    aws elb describe-load-balancers


  2. If an HTTPS listener is not configured, add one by running: 

    aws elb create-load-balancer-listeners --load-balancer-name <load-balancer-name> --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=<certificate-arn>

  3. Verify the listeners associated with the load balancer: 

    aws elb describe-load-balancer-listeners --load-balancer-name <load-balancer-name>

  4. Check that the load balancer now accepts HTTPS traffic.

Implementation Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to EC2 > Load Balancers and select the load balancer to configure.

  3. Under the Listeners tab, click Add listener.

  4. Select HTTPS as the protocol and associate the appropriate SSL certificate from ACM or upload a new certificate.

  5. Set up the necessary security settings and SSL policies (e.g., use strong encryption ciphers).

  6. Save the listener settings and confirm that HTTPS traffic is handled by the load balancer.

  7. Test by navigating to your load balancer’s DNS name and checking that HTTPS is working.

Using AWS CLI:

  1. To add an HTTPS listener to an existing load balancer, run: 

    aws elb create-load-balancer-listeners --load-balancer-name <load-balancer-name> --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=<certificate-arn>

  2. Verify that the listener has been added by running: 

    aws elb describe-load-balancer-listeners --load-balancer-name <load-balancer-name>

  3. Test the load balancer’s DNS name by accessing it over HTTPS (e.g., https://<load-balancer-dns-name>).

Backout Plan:

Using the AWS Console:

  1. If the HTTPS configuration causes issues, navigate to Load Balancers in the EC2 Console.

  2. Select the load balancer, go to the Listeners tab, and delete the HTTPS listener by clicking Remove.

  3. Ensure that only the HTTP listener is left, and verify that HTTP traffic is functioning correctly.

Using AWS CLI:

  1. To remove the HTTPS listener, run: 

    aws elb delete-load-balancer-listeners --load-balancer-name <load-balancer-name> --load-balancer-ports 443

  2. Verify that the listener is removed and the load balancer is only accepting HTTP traffic:

     aws elb describe-load-balancer-listeners --load-balancer-name <load-balancer-name>

References:

CIS Controls:

Version

Control ID

Control Description

v8

9.6

Ensure that all traffic to your Elastic Load Balancer (ELB) is encrypted using HTTPS to protect data in transit.

v7

12.5

Enable HTTPS on all load balancers to ensure secure communication between clients and your services.