ELBv1 listener protocol should not be set to http

Description

Communication from an ELB to EC2 instances should be encrypted to help prevent unauthorized access to data. To protect data in transit, ELB listener protocol should not be set to HTTP.

Console Remediation Steps

  • Navigate to EC2.

  • Follow the steps described here.

CLI Remediation Steps

  • List all of your load balancers to determine all of their names:

    • aws elb describe-load-balancers

  • Get a list of all SSL certificate ARNs available via AWS ACM:

    • aws acm list-certificates --region <region>

  • Also get a list of all SSL certificate ARNs available via AWS IAM:

    • aws iam list-server-certificates

  • Create a new HTTPS listener for any load balancer that needs it, using one of the SSL certificate ARNs previously listed:

    • aws elb create-load-balancer-listeners --region <region> --load-balancer-name <load_balancer_name> --listeners Protocol=HTTPS, LoadBalancerPort=443, InstanceProtocol=HTTP, InstancePort=80, SSLCertificateId=<ssl_certificate_arn>