AWS Elastic Load Balancer: Traffic to Load Balancers is not encrypted

Description:

AWS Elastic Load Balancing (ELB) distributes incoming application or network traffic across multiple targets, such as EC2 instances, containers, and IP addresses. Encryption of traffic to and from the load balancers is essential for ensuring data security and privacy, especially when dealing with sensitive or confidential information. If traffic to your Elastic Load Balancer is not encrypted, data could be exposed to potential eavesdroppers, leading to unauthorized access, data leaks, or breaches.

Remediation:

1. Enable SSL/TLS encryption on your ELB:

AWS Management Console:
  • Navigate to the Elastic Load Balancing service.
  • Select your Load Balancer from the list.
  • In the Listeners tab, select the listener you want to modify.
  • Change or add a listener protocol to "HTTPS" or "TLS".
  • Specify an SSL certificate. You can use an ACM-managed certificate or upload your own.
  • Configure the security policy which defines the ciphers and protocols the Load Balancer will use.
AWS CLI:
aws elbv2 modify-listener \
    --listener-arn "arn:aws:elasticloadbalancing:region:account-id:listener/app/load-balancer-name/load-balancer-id" \
    --protocol HTTPS \
    --ssl-policy ELBSecurityPolicy-RecommendedPolicy \
    --certificates CertificateArn="arn:aws:iam::account-id:server-certificate/certificate-name"

2. Redirect HTTP traffic to HTTPS:

For an additional layer of security, you can set up a redirection rule on your load balancer to ensure that all incoming HTTP traffic is redirected to use HTTPS.

AWS Management Console:
  • Navigate to the Elastic Load Balancing service.
  • Select your Load Balancer from the list.
  • In the Listeners tab, select the HTTP listener.
  • Choose "View/edit rules for selected listener".
  • Add a rule to redirect requests from HTTP to HTTPS.
AWS CLI:
aws elbv2 create-rule \
    --listener-arn "arn:aws:elasticloadbalancing:region:account-id:listener/app/load-balancer-name/load-balancer-id" \
    --conditions Field=path-pattern,Values='*' \
    --actions Type=redirect,TargetGroupArn="arn-of-target-group",Order=1,RedirectConfig='{Protocol=HTTPS,Port=443,StatusCode=HTTP_301}'

3. Monitoring and Auditing:

  • Monitor and log ELB access using AWS CloudTrail and CloudWatch to detect and respond to suspicious activity.
  • Regularly review the CloudTrail logs to ensure encrypted connections and check for any unauthorized access attempts.

4. Policy and Training:

  • Ensure that all team members understand the importance of encrypting traffic to and from the Elastic Load Balancer. Regularly review and update policies, and conduct training sessions to reinforce these best practices.

Encrypting traffic to and from your Elastic Load Balancer is vital for safeguarding data integrity and confidentiality. By enabling SSL/TLS encryption, you help prevent potential data breaches and ensure that your application's data is protected from threats.

Updated 5 months ago