Rule: ELB Application and Network Load Balancers SSL Listener
This rule focuses on using SSL or HTTPS listeners for ELB application and network load balancers.
| Rule | ELB application and network load balancers should only use SSL or HTTPS listeners |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
ELB Load Balancer SSL/HTTPS Listener Rule for CISA Cyber Essentials
Description
As part of the CISA Cyber Essentials guidelines, it is recommended to ensure that Elastic Load Balancers (ELB) configured as application or network load balancers only use SSL or HTTPS listeners. This helps to ensure secure communication between clients and the load balancer by encrypting data in transit and mitigating any potential security risks.
Troubleshooting Steps (if applicable)
If you encounter any issues while configuring or enforcing SSL/HTTPS listeners on ELB load balancers, you can follow these troubleshooting steps:
- 1.
Verify SSL/TLS certificate: Ensure that you have a valid SSL/TLS certificate installed on your load balancer. Check if the certificate is properly associated and activated with the listener.
- 2.
Check listener configurations: Review the listener configurations to make sure that the correct protocol (HTTPS) and port are selected. Verify that you have defined the appropriate SSL policies and cipher suites for secure communication.
- 3.
Verify backend server configurations: Ensure that the backend servers are properly configured to handle SSL/TLS encrypted traffic. Check if they have the necessary certificates and are listening on the correct ports.
- 4.
Check security groups and network ACLs: Confirm that the security groups associated with both the load balancer and backend instances allow incoming HTTPS traffic on the specified port.
- 5.
Review ELB logs and metrics: Analyze the ELB logs and metrics to identify any errors or anomalies that may provide insights into the issue. Look for any SSL handshake failures or certificate-related issues.
- 6.
Consider load balancer health checks: If the ELB health checks are failing for the instances, verify if the SSL/TLS configuration mismatches between the load balancer and backend servers are causing health check failures.
Necessary Codes (if applicable)
If you need to update the listener configuration for an ELB load balancer, use the following AWS CLI command as a template:
aws elbv2 modify-listener --listener-arn <listener-arn> --port 443 --protocol HTTPS --ssl-policy <ssl-policy-name>
Replace
<listener-arn><ssl-policy-name>Step-by-step Guide for Remediation
Follow these step-by-step instructions to enforce SSL/HTTPS listeners on ELB application or network load balancers:
- 1.
Log in to the AWS Management Console (or use the AWS CLI).
- 2.
Navigate to the EC2 service.
- 3.
In the navigation pane, select "Load Balancers" under the "LOAD BALANCING" section.
- 4.
Choose the application or network load balancer for which you want to enforce SSL/HTTPS listeners.
- 5.
Select the "Listeners" tab.
- 6.
Identify the existing listener(s) and verify if any non-SSL listeners are present.
- 7.
If there are non-SSL listeners, select each one and click "Edit".
- 8.
In the "Protocol" dropdown menu, choose "HTTPS".
- 9.
Define the appropriate port for the HTTPS listener (typically port 443).
- 10.
Configure the SSL policy by selecting the desired option from the "SSL policy" dropdown menu.
- 11.
Optionally, configure any other settings specific to your requirements (e.g., certificate, authentication).
- 12.
Once the necessary changes are made, click "Save" to apply the SSL/HTTPS listener configuration.
- 13.
Monitor the load balancer health and make any additional adjustments as needed.
By following these steps, you can enforce SSL/HTTPS listeners on your ELB load balancer, adhering to the CISA Cyber Essentials guidelines for enhanced security.