AWS Network Load Balancers (NLBs): Not Configured to Terminate TLS Traffic

Description:

Amazon Network Load Balancers (NLBs) provide the capability to distribute incoming traffic across multiple targets in a Virtual Private Cloud (VPC). When TLS termination is enabled on NLBs, it means the NLB is responsible for handling the TLS handshake and decrypting incoming traffic before sending it to the registered targets. This offloads the TLS termination workload from the backend instances/services and centralizes certificate management. If TLS termination is not configured on NLBs, backend services have to handle the decryption of the traffic, which can result in uneven loads and potential performance issues.


Remediation:

1. Configure TLS Termination on NLB:

To offload the decryption of TLS traffic from backend services, enable TLS termination on the NLB.

AWS Management Console:
  • Navigate to the Elastic Load Balancing dashboard.
  • Select your Network Load Balancer from the list.
  • Go to the Listeners tab.
  • Choose or add a listener for the desired port (commonly 443 for HTTPS).
  • Under Default actions, select "Forward to..." and choose the appropriate target group.
  • In the SSL Certificate section, select the ACM (AWS Certificate Manager) certificate you want to use.
AWS CLI:
aws elbv2 create-listener \
    --load-balancer-arn <Your-NLB-ARN> \
    --protocol TLS \
    --port 443 \
    --default-actions Type=forward,TargetGroupArn=<Your-Target-Group-ARN> \
    --certificates CertificateArn=<Your-ACM-Certificate-ARN>
Terraform:
resource "aws_lb_listener" "example" {
  load_balancer_arn = aws_lb.example.arn
  port              = 443
  protocol          = "TLS"

  certificate {
    certificate_arn = aws_acm_certificate.example.arn
  }

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.example.arn
  }
}

2. Regularly Rotate and Manage Certificates:

  • Use AWS Certificate Manager (ACM) to manage the SSL/TLS certificates. ACM can handle certificate renewals automatically.
  • Regularly audit certificates to ensure they're valid and haven't been compromised.

3. Policy and Training:

  • Ensure your team understands the benefits and procedures for TLS termination on NLBs. This helps in consistent configuration across all load balancers and backend services.
  • Create guidelines for setting up new NLBs, ensuring they are always configured with TLS termination.

Enabling TLS termination on Network Load Balancers optimizes the performance of backend services by offloading the decryption workload. It also simplifies the management of SSL/TLS certificates and provides centralized control over TLS configurations. Ensure to adopt this best practice for enhanced security and performance.