Rule: ELB Application Load Balancers Redirect HTTP to HTTPS
This rule ensures ELB application load balancers redirect HTTP requests to HTTPS for improved security.
| Rule | ELB application load balancers should redirect HTTP requests to HTTPS |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description
The rule states that all HTTP requests to ELB (Elastic Load Balancer) application load balancers should be redirected to HTTPS in order to comply with the NIST Cybersecurity Framework (CSF) v1. This ensures that communication between clients and the application is securely encrypted to protect against potential security threats.
Troubleshooting Steps
If there are issues with redirecting HTTP requests to HTTPS, you can follow these troubleshooting steps:
- 1.
Verify SSL/TLS Certificate: Ensure that a valid SSL/TLS certificate is installed on the ELB. This certificate is required to establish a secure connection over HTTPS.
- 2.
Check Listener Configuration: Confirm that the HTTPS listener is properly configured on the ELB. Ensure that it is listening on the correct port (usually 443) and forwarding requests to the appropriate target group.
- 3.
Verify HTTP to HTTPS Redirect: Validate that the HTTP to HTTPS redirect action is correctly configured on the ELB listeners. The redirect should be set up to forward any incoming HTTP request to the corresponding HTTPS URL.
- 4.
Check Security Group Settings: Ensure that the security group associated with the ELB allows inbound traffic on port 80 (HTTP) and port 443 (HTTPS). If the security group rules are misconfigured, it may prevent the redirect from functioning correctly.
- 5.
Verify Backend Application Configuration: Confirm that the backend application running on the target instances is correctly configured to handle HTTPS requests. Ensure that it is listening on the appropriate port and has the necessary SSL/TLS configurations.
Necessary Code
If you are using AWS CLI (Command Line Interface), the following code can be used to configure the redirect from HTTP to HTTPS:
aws elbv2 modify-listener \ --listener-arn <listener-arn> \ --default-actions \ Type=redirect,RedirectConfig={\ \"Protocol\":\"HTTPS\",\ \"Port\":\"443\",\ \"StatusCode\":\"HTTP_301\"\ }
This code modifies the listener associated with the specified ARN (Amazon Resource Name) and configures it to redirect HTTP requests to HTTPS with a 301 (permanent) redirect status code.
Note: Replace
<listener-arn>Step-by-Step Guide for Remediation
Follow these steps to remediate the issue and redirect HTTP requests to HTTPS for ELB application load balancers:
- 1.
Identify the ELB: Determine the specific ELB that requires the HTTP to HTTPS redirect.
- 2.
Validate SSL/TLS Certificate: Ensure that a valid SSL/TLS certificate is available. If not, obtain and install an appropriate certificate from a trusted certificate authority.
- 3.
Open the AWS Management Console: Go to the AWS Management Console and log in with appropriate credentials.
- 4.
Navigate to the EC2 Dashboard: Select 'Services' from the navigation bar at the top of the page and choose 'EC2' under 'Compute'.
- 5.
Select Load Balancers: From the EC2 Dashboard, click on 'Load Balancers' in the left sidebar to view the list of available load balancers.
- 6.
Choose the Target ELB: Locate and select the relevant ELB that requires the redirect configuration.
- 7.
Modify the Listener: In the 'Listeners' tab, select the HTTPS listener that is associated with port 443.
- 8.
Configure the Redirect Rule: Click on the 'Actions' dropdown and choose 'Edit'.
- 9.
Set the Redirect Action: Configure the listener to redirect HTTP to HTTPS by setting the protocol to HTTPS, port to 443, and selecting a redirect status code (e.g., HTTP_301 for a permanent redirect).
- 10.
Confirm Changes: Review the redirect rule configuration and click on 'Save' to apply the changes.
- 11.
Test the Configuration: After saving the changes, test if HTTP requests are correctly redirected to HTTPS by accessing the application using its HTTP URL. Verify that it automatically redirects to the corresponding HTTPS URL.
- 12.
Update Security Group Rules: Ensure that the security group associated with the ELB allows inbound traffic on port 80 (HTTP) and port 443 (HTTPS). If necessary, update the security group rules to allow these incoming connections.
By following these steps, you can successfully redirect HTTP requests to HTTPS for ELB application load balancers, thereby complying with the NIST Cybersecurity Framework (CSF) v1.