Profile Applicability:
• Level 1

Description:
 Encrypt traffic to HTTPS load balancers using TLS certificates.

Rationale:
 Encrypting traffic between users and your Kubernetes workload is essential to protecting data transmitted over the web. TLS certificates ensure the confidentiality and integrity of data, preventing unauthorized access and man-in-the-middle attacks.

Impact:
Enabling TLS encryption for HTTPS load balancers ensures that all data transmitted between clients and the load balancer is protected from man-in-the-middle attacks and eavesdropping. This increases the security of web applications by encrypting communication channels.

Default Value:
By default, Kubernetes may not configure load balancers with TLS certificates unless explicitly specified during the service creation process.

 Pre-requisites:
 A valid TLS certificate must be available, and the load balancer must be configured to terminate HTTPS traffic. You can either use a self-signed certificate or get a certificate from a trusted Certificate Authority (CA) such as AWS ACM. 

Remediation: 

Test Plan: 

Using AWS Console: 

  • Navigate to Amazon EC2 > Load Balancers in the AWS Console.

  • Verify that your load balancer is configured with a TLS certificate for HTTPS traffic on port 443.

  • Check that the SSL/TLS certificate is correctly attached and verify its expiration date and validity.


Using AWS CLI:

  1. To list the load balancers and verify the SSL certificate:

    aws elb describe-load-balancers --query "LoadBalancerDescriptions[?LoadBalancerName=='<load-balancer-name>'].{DNSName:DNSName,SSLPorts:ListenerDescriptions[?Listener.Port=='443']}"


Implementation Plan:

Using AWS Console:

  1. Navigate to EC2 > Load Balancers in the AWS Console.

  2. For an existing load balancer, add an HTTPS listener by selecting Add Listener and specifying the TLS certificate.

  3. For a new load balancer, ensure the HTTPS listener is configured to use the TLS certificate.

Using AWS CLI:

  1. Use the following command to create an HTTPS listener for an existing load balancer:

aws elb create-load-balancer-listeners --load-balancer-name <load-balancer-name> --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId <certificate-arn>


Backout Plan:

Using AWS Console:

  1. If the TLS configuration needs to be removed, navigate to Load Balancers in the AWS Console.

  2. Delete the HTTPS listener or replace it with an HTTP listener.

Using AWS CLI:

  1. To remove the HTTPS listener:

    aws elb delete-load-balancer-listeners --load-balancer-name <load-balancer-name> --load-balancer-port 443


References:

  1. AWS Elastic Load Balancing Data Protection

  2. AWS ELB Create HTTPS Listener