Rule: ELB Application Load Balancers Redirect HTTP to HTTPS
This rule ensures that ELB Application Load Balancers redirect HTTP requests to HTTPS for enhanced security.
| Rule | ELB application load balancers should redirect HTTP requests to HTTPS |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
ELB (Elastic Load Balancer) application load balancers should be configured to redirect HTTP requests to HTTPS to ensure secure communication and compliance with NIST 800-53 Revision 5 guidelines.
Troubleshooting Steps:
- 1.
Verify the ELB configuration: Check the current configuration of your ELB to ensure the listener rules are correctly set up to redirect HTTP to HTTPS.
- 2.
Check the Health Checks: Verify that the health checks associated with your ELB are passing for both HTTP and HTTPS protocols. If the health check fails for HTTPS, troubleshoot and resolve the issue before proceeding.
- 3.
Validate SSL Certificate: Ensure that you have a valid SSL certificate associated with your ELB configuration. If the certificate is expired or incorrectly configured, it can cause issues with the HTTPS redirection.
- 4.
SSL Configuration: Review your SSL configuration settings to verify that they are correctly configured. Check the SSL protocols and cipher suites enabled to ensure compatibility with your applications and security requirements.
- 5.
Verify Security Groups: Confirm that the security groups associated with your ELB allow incoming HTTPS traffic (port 443) and reject HTTP traffic (port 80). Adjust the security group rules if required.
- 6.
Check Application Redirects: Review your application's code or server configuration to ensure that it is not performing any conflicting HTTP to HTTPS redirects. In some cases, both the application and the ELB can be performing the same redirection, causing conflicts.
- 7.
Monitor Access Logs: Enable and monitor the ELB access logs to identify any issues with the redirection process. Analyze the logs to determine if there are any patterns of unsuccessful redirects or error messages.
Necessary Codes:
No specific code is required as this configuration is done at the ELB level.
Remediation Steps:
- 1.
Log in to the AWS Management Console and navigate to the EC2 service.
- 2.
Select the appropriate region where your ELB is located.
- 3.
Click on "Load Balancers" in the left navigation pane.
- 4.
Select the ELB that requires the HTTP to HTTPS redirect.
- 5.
In the "Listeners" tab, remove any existing HTTP listeners.
- 6.
Add a new HTTP listener by clicking on the "Add Listener" button.
- 7.
Configure the new listener with the following settings:
- Load Balancer Protocol: HTTP
- Load Balancer Port: 80
- Instance Protocol: HTTP
- Instance Port: 80
- 8.
In the "Default actions" section of the same listener, click on the "Add action" button.
- 9.
Select "Redirect to..." from the drop-down menu.
- 10.
Configure the redirect action with the following settings:
- Redirect to: HTTPS
- Protocol: HTTPS
- Port: 443
- 11.
Click on the "Save" button to apply the changes.
- 12.
Test the redirection by accessing the ELB's endpoint via HTTP. You should be automatically redirected to HTTPS.
- 13.
Repeat the process for any other ELBs that require the HTTP to HTTPS redirect.
Note:
Ensure that any associated security groups, SSL certificates, and application configurations are properly set up and compatible with HTTPS traffic. Regularly monitor the ELB's functionality and access logs to promptly address any issues.