ELB Application and Network Load Balancers SSL Rule
This rule ensures ELB application and network load balancers use SSL or HTTPS listeners.
| Rule | ELB application and network load balancers should only use SSL or HTTPS listeners |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ High |
Rule Description:
According to the RBI Cyber Security Framework, Elastic Load Balancers (ELBs), including Application Load Balancers (ALBs) and Network Load Balancers (NLBs), should only utilize SSL or HTTPS listeners for secure communication with the respective backend servers.
Reasoning:
Implementing SSL or HTTPS listeners ensures the confidentiality and integrity of the data being transmitted between the load balancer and the backend servers. It safeguards against potential eavesdropping, data theft, and unauthorized access during transit.
Troubleshooting Steps (if applicable):
If SSL or HTTPS listeners are not configured properly, it may result in the following issues:
- 1.
Insecure Communication: The data transmitted between the load balancer and the backend servers can be intercepted or compromised, leading to potential security breaches.
- 2.
Failed Connections: Without proper SSL or HTTPS configuration, connections may fail as the load balancer will reject non-secure requests.
Remediation Steps:
To comply with the RBI Cyber Security Framework and ensure secure communication, follow these steps to configure SSL or HTTPS listeners on ELBs:
- 1.
Generate or obtain an SSL/TLS certificate: Obtain a valid SSL/TLS certificate from a trusted certificate authority (CA) or generate a self-signed certificate.
- 2.
Upload the SSL/TLS certificate to AWS Certificate Manager (ACM) or to the Identity and Access Management (IAM) service.
- 3.
Open the Amazon EC2 Management Console and navigate to the EC2 Dashboard.
- 4.
Go to the EC2 Dashboard and select "Load Balancers" from the left-hand menu.
- 5.
Select the target ELB (ALB or NLB) that needs to be configured with SSL or HTTPS listeners.
- 6.
Click on the "Listeners" tab and remove any existing listeners that are not SSL or HTTPS.
- 7.
Click on the "Add Listener" button to create a new listener.
- 8.
Select "HTTPS/SSL" as the protocol for the new listener.
- 9.
Specify the port number for the listener (e.g., 443).
- 10.
Select the SSL/TLS certificate that you uploaded to ACM or IAM in step 2.
- 11.
Configure the necessary security policies according to your requirements (e.g., SSL protocols, cipher suites).
- 12.
Click on the "Add" button to save the new listener configuration.
- 13.
Test the SSL or HTTPS listener by accessing the load balancer's DNS name or IP address through a browser or appropriate test tools.
- 14.
Ensure that the backend servers are configured to handle HTTPS requests and have the necessary SSL/TLS configurations in place.
- 15.
Monitor the ELB logs and application logs to identify any issues or errors related to SSL or HTTPS communication.
By following these steps, you can enforce SSL or HTTPS listeners on your ELBs, aligning with the RBI Cyber Security Framework and safeguarding your applications' communication channels.
Note: It is recommended to regularly review and update SSL/TLS certificates to maintain the highest level of security.