Enforce HTTPS For Elastic Beanstalk Load Balancers.

More Info:

Ensure that HTTPS is enabled for the load balancer associated with your Amazon Elastic Beanstalk application environment in order to handle encrypted web traffic. By default, the load balancer handles unencrypted traffic requests (HTTP) through port 80. To enable HTTPS traffic over port 443, you must create and configure an HTTPS listener for the associated load balancer.

Risk Level

High

Address

Security

Compliance Standards

SOC2, GDPR, PCIDSS, NIST, HITRUST, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To enforce HTTPS for Elastic Beanstalk Load Balancers in AWS, you can follow the below steps using AWS CLI:Step 1: Open the AWS CLI on your local machine.Step 2: Run the following command to update the Elastic Beanstalk environment to use HTTPS:

aws elasticbeanstalk update-environment --environment-name <your-environment-name> --option-settings Namespace=aws:elb:listener:443,OptionName=ListenerProtocol,Value=HTTPS --option-settings Namespace=aws:elb:listener:443,OptionName=SSLCertificateId,Value=<your-ssl-certificate-id>

Note: Replace <your-environment-name> with the name of your Elastic Beanstalk environment and <your-ssl-certificate-id> with the ID of your SSL certificate.Step 3: Run the following command to verify that HTTPS is now enforced:

aws elasticbeanstalk describe-environment-resources --environment-name <your-environment-name> --query "EnvironmentResources.LoadBalancer.Url"

Note: Replace <your-environment-name> with the name of your Elastic Beanstalk environment.This command will return the URL of the Elastic Beanstalk Load Balancer with HTTPS protocol.By following the above steps, you can enforce HTTPS for Elastic Beanstalk Load Balancers in AWS using AWS CLI.

Using Python

To remediate the misconfiguration “Enforce HTTPS for Elastic Beanstalk Load Balancers” in AWS using Python, you can follow the below steps:

Open the AWS Management Console and navigate to the Elastic Beanstalk environment that needs to be remediated.
Click on the “Configuration” tab and then click on the “Load Balancer” section.
Under the “Listeners” section, click on the “Edit” button.
In the “Add listener” dialog box, select “HTTPS” from the “Protocol” dropdown menu.
Select the SSL certificate that you want to use from the “SSL certificate ID” dropdown menu.
Click on the “Add” button to add the HTTPS listener.
Under the “Rules” section, click on the “Edit” button.
In the “Add rule” dialog box, select “HTTPS” from the “Protocol” dropdown menu.
In the “Path” field, enter ”/*”.
In the “Redirect to” field, enter “https://#:#/#?#”.
Click on the “Add” button to add the HTTPS redirect rule.
Click on the “Apply” button to save the changes.

To automate the above steps using Python, you can use the AWS SDK for Python (Boto3). Here’s an example code snippet to enforce HTTPS for an Elastic Beanstalk Load Balancer:

import boto3

# Replace with your AWS access key ID and secret access key
aws_access_key_id = 'YOUR_AWS_ACCESS_KEY_ID'
aws_secret_access_key = 'YOUR_AWS_SECRET_ACCESS_KEY'

# Replace with the name of your Elastic Beanstalk environment
environment_name = 'YOUR_ELASTIC_BEANSTALK_ENVIRONMENT_NAME'

# Create an Elastic Beanstalk client
eb_client = boto3.client('elasticbeanstalk', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key)

# Get the Elastic Beanstalk environment details
environment = eb_client.describe_environments(EnvironmentNames=[environment_name])['Environments'][0]

# Get the Load Balancer ARN
load_balancer_arn = environment['LoadBalancers'][0]['Name']

# Create an Elastic Load Balancing client
elb_client = boto3.client('elbv2', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key)

# Create the HTTPS listener
elb_client.create_listener(
    LoadBalancerArn=load_balancer_arn,
    Protocol='HTTPS',
    Port=443,
    SslPolicy='ELBSecurityPolicy-2016-08',
    Certificates=[
        {
            'CertificateArn': 'YOUR_SSL_CERTIFICATE_ARN'
        }
    ]
)

# Create the HTTPS redirect rule
elb_client.create_rule(
    ListenerArn='YOUR_HTTPS_LISTENER_ARN',
    Conditions=[
        {
            'Field': 'path-pattern',
            'Values': [
                '/*'
            ]
        }
    ],
    Actions=[
        {
            'Type': 'redirect',
            'RedirectConfig': {
                'Protocol': 'HTTPS',
                'Port': '443',
                'StatusCode': 'HTTP_301',
                'Host': '#{host}',
                'Path': '/#{path}',
                'Query': '#{query}'
            }
        }
    ]
)

Note: Replace the placeholders in the code with your own values. Also, make sure that you have installed the Boto3 library before running the code.

Additional Reading:

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Enforce HTTPS For Elastic Beanstalk Load Balancers.

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: