ELB Should Accept HTTPS Connections Only

More Info:

ELB should be configured to block HTTP connection and allow only HTTPS connections.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, GDPR, NIST, SOC2, PCIDSS, AWSWAF, HITRUST, NISTCSF, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the ELB accepting only HTTPS connections in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine.
Run the following command to describe the current configuration of the ELB:

aws elb describe-load-balancers --load-balancer-name <ELB_NAME>

Replace <ELB_NAME> with the name of your ELB.

Check if the ELB is currently accepting both HTTP and HTTPS connections. If it is, you need to modify the listener to accept HTTPS connections only.
Run the following command to modify the listener to accept HTTPS connections only:

aws elb modify-load-balancer-attributes --load-balancer-name <ELB_NAME> --load-balancer-attributes "{\"LoadBalancerAttributes\":{\"ConnectionSettings\":{\"IdleTimeout\":3600},\"AccessLog\":{\"Enabled\":false},\"ConnectionDraining\":{\"Enabled\":false},\"CrossZoneLoadBalancing\":{\"Enabled\":false},\"SecurityGroups\":[\"<SECURITY_GROUP_ID>\"],\"AdditionalAttributes\":[{\"Key\":\"listener.sslPolicy\",\"Value\":\"ELBSecurityPolicy-2016-08\"}],\"Listeners\":[{\"Protocol\":\"HTTPS\",\"LoadBalancerPort\":443,\"InstanceProtocol\":\"HTTP\",\"InstancePort\":80}]}}"

Replace <ELB_NAME> with the name of your ELB and <SECURITY_GROUP_ID> with the ID of the security group that the ELB should use.

Verify that the ELB is now accepting HTTPS connections only by running the following command:

aws elb describe-load-balancers --load-balancer-name <ELB_NAME>

The output should show that the listener is now configured to accept HTTPS connections only.Note: Make sure to replace <ELB_NAME> and <SECURITY_GROUP_ID> with the appropriate values for your ELB.

Using Python

To remediate the misconfiguration “ELB Should Accept HTTPS Connections Only” for AWS using python, you can follow the below steps:

Import the necessary libraries:

import boto3

Create an AWS ELB client:

elb_client = boto3.client('elbv2')

Get the list of all the load balancers:

lb_list = elb_client.describe_load_balancers()

Iterate through the list of load balancers and update the listener protocol to HTTPS:

for lb in lb_list['LoadBalancers']:
    lb_arn = lb['LoadBalancerArn']
    listener_list = elb_client.describe_listeners(LoadBalancerArn=lb_arn)
    for listener in listener_list['Listeners']:
        if listener['Protocol'] != 'HTTPS':
            elb_client.modify_listener(
                ListenerArn=listener['ListenerArn'],
                Protocol='HTTPS'
            )

Verify that the listener protocol has been updated to HTTPS:

listener_list = elb_client.describe_listeners(LoadBalancerArn=lb_arn)
for listener in listener_list['Listeners']:
    if listener['Protocol'] != 'HTTPS':
        print('Listener protocol not updated to HTTPS')
    else:
        print('Listener protocol updated to HTTPS')

By following the above steps, the misconfiguration “ELB Should Accept HTTPS Connections Only” can be remediated for AWS using python.

Additional Reading:

https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-options.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

ELB Should Accept HTTPS Connections Only

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: