Skip to content

ALB protocol is not HTTPS

Description

An internet-facing AWS ELB/ALB is a public resource on your network that is completely exposed to the internet. It has a publicly resolvable DNS name, that can accept HTTP(S) requests from clients over the Internet. External actors gaining knowledge to this information can potentially attempt to access the EC2 instances that are registered with the load balancer.

When an AWS ALB has no HTTPS listeners, front-end connections between the web clients and the load balancer could become targeted by man-in-the-middle attacks and traffic interception techniques.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EC2 console.
  3. Navigate to LOAD BALANCING, select Load Balancers.
  4. Select a load balancer, then select Listeners.
  5. To add a listener, select Add Listener.

  6. For Protocol : port, select HTTPS and keep the default port or type a different port.

  7. For Default actions, do one of the following:
    • Choose Add action, Forward to and choose a target group.
    • Choose Add action, Redirect to and provide the URL for the redirect.
    • Choose Add action, Return fixed response and provide a response code and optional response body.
    To save the action, select the checkmark icon.
  8. For Security policy, it is recommended that you keep the default security policy.
  9. For Default SSL certificate, do one of the following:
    • If you created or imported a certificate using AWS Certificate Manager, select From ACM and select the certificate.
    • If you uploaded a certificate using IAM, select From IAM and select the certificate.
  10. Click Save.

Fix - Buildtime

CloudFormation

  • **Resource: ** AWS::ElasticLoadBalancingV2::Listener
  • Arguments: Properties.Protocol / Properties.DefaultActions
Resources:
    ListenerHTTPS:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      ...
      # Option 1:
+     Protocol: HTTPS # Or TCP / TLS / UDP / TCP_UDP
      # Option 2:
+     DefaultActions:
+       - Type: redirect
+         RedirectConfig:
+           Protocol: HTTPS
            ...