AWS Elastic Load Balancing (ELB)
  1. CNS Policies
  2. AWS Knowledge Base
  3. AWS Elastic Load Balancing (ELB)

ELB Non HTTPS Listeners

Risk Level: Low

Description: 

This plugin guarantees that ELBs are set to allow only HTTPS connections. ELBs can be set to only allow HTTPS connections for optimal security. HTTP connections that aren't secure will be prohibited. This should only be done if the client application is set up to query HTTPS directly rather than relying on an HTTP redirect.

PingSafe strongly recommends removing non-HTTPS listeners from the load balancer.

About the Service :

The Amazon ECS service may be configured to employ Elastic Load Balancing to uniformly distribute traffic among your service's jobs. The transport layer (TCP/SSL) or the application layer (HTTP/HTTPS) are where a Classic Load Balancer makes routing choices. A fixed relationship between the load balancer port and the container instance port is presently required by traditional load balancers.

Impact : 

The front-end connection between the clients and the load balancer is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks when a web-tier AWS ELB has no HTTPS/SSL listeners. When the programme is interacting with sensitive data like health and personal information, credentials, and credit card details, the danger becomes even more.

Steps to reproduce :

  1. Login to PinSafe console and navigate to web-tier ELB Listener Security. Copy the tag set defined for AWS resources available in your web tier.
  2. Login to your AWS Management Console.
  3. Navigate to the EC2 console.
    https://ap-south-1.console.aws.amazon.com/ec2/ 
  4. Click on Load Balancers under Load Balancing.
  5. In the search by keyword box, paste the tag set copied in step 1.
  6. Select the web-tier ELB that you want to examine and then move to the Listeners tab. Check the protocol for each listener available under the Load Balancer Protocol column. If HTTPS/SSL is not present this suggests that it is not secure.
  7. Repeat steps for other web-tier ELBs.

Steps for remediation :

  1. Login to your AWS Management Console.
  2. Navigate to the EC2 console.
    https://ap-south-1.console.aws.amazon.com/ec2/ 
  3. Click on Load Balancers under Load Balancing.
  4. Select the web-tier ELB that you want to reconfigure and click on the edit button in the Listeners tab.
  5. Add a new entry in the Edit listeners dialogue box. Select  HTTPS/SSL in the Load Balancer.
  6. Click Change and select the most appropriate options in the SSL Certificate column and then click Save.
  7. In the Edit listeners dialogue box, review and click Save.
  8. Repeat steps for other web-tier ELBs.

References: