Amazon_EC2_4

Ensure All ELB have SSL/TLS Certificate attached

Description

When you use HTTPS for your front-end listener, you must deploy an SSL/TLS certificate on your load balancer. The load balancer uses the certificate to terminate the connection and then decrypt requests from clients before sending them to the back-end instances. The TLS protocol uses an X.509 certificate (SSL/TLS server certificate) to authenticate both the client and the back-end application. An X.509 certificate is a digital form of identification issued by a trusted certificate authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer.
You can create a certificate using a Third Party Certificate Authority or AWS Certificate Manager.

  • Note: an SSL certificate configured on the ELB is not mandatory if you are
    terminating SSL connections directly on the EC2 instances, and using a
    TCP listener on the ELB (TCP pass-through)

Remediation

Using the Amazon unified command line interface:

  • Adding a HTTPS listener configured with a SSL/TLS certificate (the listener forwards traffic to the backend instances on port 80, but this can be modified by editing InstancePort=80 ):
    aws elb create-load-balancer-listeners –load-balancer-name <web_tier_elb> –listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80, SSLCertificateId=<ssl_certificate_arn>


References:

  1. http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-add-or-delete-listeners.html#add-listener-cli
  2. http://docs.aws.amazon.com/cli/latest/reference/elb/describe-load-balancers.html

Service

EC2

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!