ELBv1 listener protocol should not be set to http

Description

Communication from an ELB to EC2 instances should be encrypted to help prevent unauthorized access to data. To protect data in transit, ELB listener protocol should not be set to HTTP.

Remediation Steps

AWS Console

• Navigate to EC2.

• Follow the steps described here.

AWS CLI

• List all of your load balancers to determine all of their names:

  • aws elb describe-load-balancers

• Get a list of all SSL certificate ARNs available via AWS ACM:

  • aws acm list-certificates --region <region>

• Also get a list of all SSL certificate ARNs available via AWS IAM:

  • aws iam list-server-certificates

• Create a new HTTPS listener for any load balancer that needs it, using one of the SSL certificate ARNs previously listed:

  • aws elb create-load-balancer-listeners --region <region> --load-balancer-name <load_balancer_name> --listeners Protocol=HTTPS, LoadBalancerPort=443, InstanceProtocol=HTTP, InstancePort=80, SSLCertificateId=<ssl_certificate_arn>

Terraform

• Ensure that the aws_elb does not have any listener blocks with the lb_protocol field set to “http”.

Example Configuration

resource "aws_elb" "example" {
  listener {
    lb_protocol = "https"
    # other required fields here
  }
}

Documentation Links

AWS Console and CLI

• Configuring an HTTPS Listener for Your Classic Load Balancer

• Console: Add an HTTPS Listener

• CLI: create-load-balancer-listeners

Terraform

• Resource: aws_elb

  • Field: listener.lb_protocol