Ensuring ELB Application Load Balancers Redirect HTTP Requests to HTTPS Rule
This rule focuses on ensuring that ELB application load balancers redirect HTTP requests to HTTPS for enhanced security measures.
| Rule | ELB application load balancers should redirect HTTP requests to HTTPS |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
Rule Description:
To comply with FedRAMP Moderate Revision 4 requirements, Elastic Load Balancers (ELBs) with an application load balancer type should enforce HTTP to HTTPS redirection. This means that any HTTP requests received by the load balancer should be automatically redirected to HTTPS.
Enforcing this rule ensures that all communication between clients and the load balancer is encrypted, providing a more secure environment for the application.
Troubleshooting Steps (if applicable):
If HTTP to HTTPS redirection is not configured correctly on the load balancer, follow these troubleshooting steps:
- 1.
Verify the load balancer's listener configurations:
- Check if an HTTPS listener is configured on the load balancer.
- Ensure that the HTTPS listener is associated with a valid SSL/TLS certificate.
- 2.
Confirm the configured redirection action:
- Check if the listener's rules have a default action that redirects HTTP to HTTPS.
- Ensure that the action is correctly defined and specifies a redirect of type "forward" and a target group associated with HTTPS.
- 3.
Verify the target group settings:
- Check if the target group contains healthy instances that can handle HTTPS traffic.
- Make sure the target group's health checks are passing.
- 4.
Review the security group settings:
- Ensure that the security group attached to the instances allows inbound traffic on the HTTPS port (443) from the load balancer.
- 5.
Check the SSL certificate:
- Verify the SSL/TLS certificate associated with the load balancer.
- Ensure it is not expired or invalid.
If the issue persists after confirming these settings, consider checking the application's web server configurations and logs for any potential issues.
Necessary Codes (if applicable):
In most cases, configuring the load balancer using the AWS Management Console or AWS Command Line Interface (CLI) does not require writing any specific code. However, you may need to use the AWS CLI to modify the listener rules or check configurations.
Step-by-Step Guide for Remediation:
Follow these steps to enforce HTTP to HTTPS redirection on an ELB application load balancer:
- 1.
Open the AWS Management Console and navigate to the Amazon Elastic Load Balancing service.
- 2.
Select the appropriate load balancer from the list.
- 3.
In the "Listeners" tab, ensure that an HTTPS listener is already configured with a valid SSL/TLS certificate. If not, follow the instructions to create a new HTTPS listener and associate a certificate.
- 4.
Click on the "Rules" tab and review the existing rules.
- 5.
If a rule redirecting HTTP requests to HTTPS does not exist, click on the "Create Rule" button.
- 6.
Create a new rule with the following configuration:
- Condition: If HTTP
- Action: Forward to
- Target group: Choose the target group associated with HTTPS (make sure it exists)
- 7.
Save the rule.
- 8.
Verify the health of the instances in the target group to ensure they can handle HTTPS traffic successfully.
- 9.
Check the security group attached to the instances and make sure it allows inbound traffic on the HTTPS port (443) from the load balancer.
- 10.
Test the redirection by accessing the load balancer's DNS name via HTTP. It should automatically redirect to HTTPS.
By following these steps, you will enforce HTTP to HTTPS redirection on your ELB application load balancer, ensuring compliance with FedRAMP Moderate Revision 4 requirements.