AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Enforce HTTPS For Elastic Beanstalk Load Balancers.
More Info:
Ensure that HTTPS is enabled for the load balancer associated with your Amazon Elastic Beanstalk application environment in order to handle encrypted web traffic. By default, the load balancer handles unencrypted traffic requests (HTTP) through port 80. To enable HTTPS traffic over port 443, you must create and configure an HTTPS listener for the associated load balancer.
Risk Level
High
Address
Security
Compliance Standards
SOC2, GDPR, PCIDSS, NIST, HITRUST, NISTCSF
Triage and Remediation
Remediation
Sure, here are the step by step instructions to remediate the misconfiguration “Enforce HTTPS for Elastic Beanstalk Load Balancers” for AWS using AWS console:
- Log in to your AWS Management Console.
- Navigate to the Elastic Beanstalk service.
- Select the environment that you want to remediate.
- Click on the “Configuration” tab in the left-hand menu.
- Scroll down to the “Load Balancer” section and click on “Edit”.
- In the “Listeners” section, click on the “Add listener” button.
- Select “HTTPS” as the protocol and enter the appropriate port number (usually 443).
- Choose the SSL certificate that you want to use from the drop-down list.
- In the “Rules” section, click on the “Add rule” button.
- Choose “Redirect HTTP to HTTPS” from the drop-down list.
- Click on the “Apply” button to save the changes.
- Wait for the environment to update and the changes to take effect.
Once these steps are completed, your Elastic Beanstalk Load Balancer will enforce HTTPS and redirect all HTTP traffic to HTTPS.
To enforce HTTPS for Elastic Beanstalk Load Balancers in AWS, you can follow the below steps using AWS CLI:
Step 1: Open the AWS CLI on your local machine.
Step 2: Run the following command to update the Elastic Beanstalk environment to use HTTPS:
aws elasticbeanstalk update-environment --environment-name <your-environment-name> --option-settings Namespace=aws:elb:listener:443,OptionName=ListenerProtocol,Value=HTTPS --option-settings Namespace=aws:elb:listener:443,OptionName=SSLCertificateId,Value=<your-ssl-certificate-id>
Note: Replace <your-environment-name> with the name of your Elastic Beanstalk environment and <your-ssl-certificate-id> with the ID of your SSL certificate.
Step 3: Run the following command to verify that HTTPS is now enforced:
aws elasticbeanstalk describe-environment-resources --environment-name <your-environment-name> --query "EnvironmentResources.LoadBalancer.Url"
Note: Replace <your-environment-name> with the name of your Elastic Beanstalk environment.
This command will return the URL of the Elastic Beanstalk Load Balancer with HTTPS protocol.
By following the above steps, you can enforce HTTPS for Elastic Beanstalk Load Balancers in AWS using AWS CLI.
To remediate the misconfiguration “Enforce HTTPS for Elastic Beanstalk Load Balancers” in AWS using Python, you can follow the below steps:
-
Open the AWS Management Console and navigate to the Elastic Beanstalk environment that needs to be remediated.
-
Click on the “Configuration” tab and then click on the “Load Balancer” section.
-
Under the “Listeners” section, click on the “Edit” button.
-
In the “Add listener” dialog box, select “HTTPS” from the “Protocol” dropdown menu.
-
Select the SSL certificate that you want to use from the “SSL certificate ID” dropdown menu.
-
Click on the “Add” button to add the HTTPS listener.
-
Under the “Rules” section, click on the “Edit” button.
-
In the “Add rule” dialog box, select “HTTPS” from the “Protocol” dropdown menu.
-
In the “Path” field, enter ”/*“.
-
In the “Redirect to” field, enter “https://#:#/#?#“.
-
Click on the “Add” button to add the HTTPS redirect rule.
-
Click on the “Apply” button to save the changes.
To automate the above steps using Python, you can use the AWS SDK for Python (Boto3). Here’s an example code snippet to enforce HTTPS for an Elastic Beanstalk Load Balancer:
import boto3
# Replace with your AWS access key ID and secret access key
aws_access_key_id = 'YOUR_AWS_ACCESS_KEY_ID'
aws_secret_access_key = 'YOUR_AWS_SECRET_ACCESS_KEY'
# Replace with the name of your Elastic Beanstalk environment
environment_name = 'YOUR_ELASTIC_BEANSTALK_ENVIRONMENT_NAME'
# Create an Elastic Beanstalk client
eb_client = boto3.client('elasticbeanstalk', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key)
# Get the Elastic Beanstalk environment details
environment = eb_client.describe_environments(EnvironmentNames=[environment_name])['Environments'][0]
# Get the Load Balancer ARN
load_balancer_arn = environment['LoadBalancers'][0]['Name']
# Create an Elastic Load Balancing client
elb_client = boto3.client('elbv2', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key)
# Create the HTTPS listener
elb_client.create_listener(
LoadBalancerArn=load_balancer_arn,
Protocol='HTTPS',
Port=443,
SslPolicy='ELBSecurityPolicy-2016-08',
Certificates=[
{
'CertificateArn': 'YOUR_SSL_CERTIFICATE_ARN'
}
]
)
# Create the HTTPS redirect rule
elb_client.create_rule(
ListenerArn='YOUR_HTTPS_LISTENER_ARN',
Conditions=[
{
'Field': 'path-pattern',
'Values': [
'/*'
]
}
],
Actions=[
{
'Type': 'redirect',
'RedirectConfig': {
'Protocol': 'HTTPS',
'Port': '443',
'StatusCode': 'HTTP_301',
'Host': '#{host}',
'Path': '/#{path}',
'Query': '#{query}'
}
}
]
)
Note: Replace the placeholders in the code with your own values. Also, make sure that you have installed the Boto3 library before running the code.