Rule for ELB Application and Network Load Balancers
This rule specifies the use of SSL or HTTPS listeners for ELB application and network load balancers.
| Rule | ELB application and network load balancers should only use SSL or HTTPS listeners |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
As per the NIST 800-53 Revision 5 guidelines, Elastic Load Balancers (ELB) application and network load balancers should only utilize SSL (Secure Sockets Layer) or HTTPS (Hypertext Transfer Protocol Secure) listeners. This rule ensures that data transmitted between the client and the load balancer is encrypted, providing an additional layer of security for sensitive information.
Remediation Steps:
To comply with the NIST 800-53 Revision 5 requirement and enforce SSL/HTTPS listeners on ELB application and network load balancers, the following steps can be followed:
Step 1: Identify ELB Load Balancers:
Identify the ELB application and network load balancers in your environment. Make a note of the load balancer names or ARNs (Amazon Resource Names) for reference in the following steps.
Step 2: Verify Listener Protocol:
Check the existing listener configurations for each load balancer to ensure they are set to use SSL or HTTPS protocols. If any listeners are configured to use HTTP, they need to be modified.
Step 3: Modify Listeners:
For each load balancer, modify the listener configurations to use either SSL or HTTPS protocols. Follow the instructions provided below based on the type of load balancer:
For Classic Load Balancer (v1):
- 1.Open the Amazon EC2 Management Console.
- 2.Navigate to the "Load Balancers" section.
- 3.Select the appropriate Classic Load Balancer.
- 4.In the "Description" tab, click on the "Listeners" tab.
- 5.Identify the listeners using the HTTP protocol.
- 6.Select each HTTP listener and click on the "Edit" button.
- 7.Change the protocol to HTTPS and configure the required SSL certificate.
- 8.Save the changes.
For Application Load Balancer (v2) and Network Load Balancer:
- 1.Open the Amazon EC2 Management Console.
- 2.Navigate to the "Load Balancers" section.
- 3.Select the appropriate Application Load Balancer or Network Load Balancer.
- 4.In the "Listeners" tab, identify the listeners using the HTTP protocol.
- 5.Select each HTTP listener and click on the "Delete" button to remove them.
- 6.Click on the "Add listener" button.
- 7.Choose HTTPS as the protocol and configure the required SSL certificate.
- 8.Save the changes.
Step 4: Verify Listener Updates:
After modifying the listener configurations, verify if the changes are successfully applied. Ensure that all the ELB application and network load balancers are using SSL or HTTPS protocols for their listeners.
Troubleshooting Steps (If listener updates fail):
In case you encounter any issues while modifying the listener configurations or if the changes do not take effect as expected, consider the following troubleshooting steps:
- 1.Confirm that you have appropriate permissions to modify the load balancer listeners. Ensure that you have the necessary IAM (Identity and Access Management) roles.
- 2.Double-check the load balancer names or ARNs used in the steps to ensure accuracy.
- 3.Check if any existing policies or security groups are preventing the modification of listener settings. Adjust the policies if necessary.
- 4.Review the SSL certificate details to ensure they are valid and properly configured.
- 5.Verify if the servers behind the load balancers are correctly configured to handle HTTPS traffic.
If the issue persists after following the troubleshooting steps, it is recommended to reach out to the AWS support team for further assistance.
Additional Notes:
- It is crucial to regularly monitor and audit ELB application and network load balancers to ensure ongoing compliance with the NIST 800-53 Revision 5 guidelines.
- Implementing SSL or HTTPS listeners not only protects sensitive data but also helps build trust with users, as it ensures secure communication channels between clients and the load balancers.