Risk Level: Medium
Description:
This plugin guarantees that secured listeners are set up on AWS Network Load Balancers. TLS protocol listener on AWS Network Load Balancer should be set to terminate TLS traffic.
SentinelOne CNS strongly recommends attaching a TLS listener to AWS Network Load Balancer.
About the Service :
The Amazon ECS service may be configured to employ Elastic Load Balancing to uniformly distribute traffic among your service's jobs. The transport layer (TCP/SSL) or the application layer (HTTP/HTTPS) are where a Classic Load Balancer makes routing choices. A fixed relationship between the load balancer port and the container instance port is presently required by traditional load balancers.
Impact :
AWS Network Load Balancer should have a TLS protocol listener configured to terminate TLS traffic.
Steps to reproduce :
- Login to your AWS Management Console.
- Navigate to the EC2 console.
https://ap-south-1.console.aws.amazon.com/ec2/ - Click on Load Balancers under Load Balancing.
- Select the load balancer that you want to examine.
- In the Listeners tab, check if ALPN policy, Security Policy or SSL certificate is available or not.
- Since they are not present this suggests that the listener is insecure.
- Repeat steps for other EC2 load balancers as well.
Steps for remediation :
- Login to your AWS Management Console.
- Navigate to the EC2 console.
https://ap-south-1.console.aws.amazon.com/ec2/ - Click on Load Balancers under Load Balancing.
- Select the load balancer that you want to examine.
- In the Listeners tab, check if ALPN policy, Security Policy or SSL certificate is available or not.
- Since they are not present this suggests that the listener is insecure.
- We will create a new listener by clicking on the Add Listener button.
- We will then fill in the necessary information of the listener and click Add.
- Repeat steps for other EC2 load balancers as well.
References: