1.12 Ensure App Tier ELB have SSL\TLS Certificate attached

Information

When you use HTTPS for your front-end listener, you must deploy an SSL/TLS certificate on your load balancer. The load balancer uses the certificate to terminate the connection and then decrypt requests from clients before sending them to the back-end instances.

The SSL\TLS protocol uses an X.509 certificate (SSL\TLS server certificate) to authenticate both the client and the back-end application. An X.509 certificate is a digital form of identification issued by a trusted certificate authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer.

You can create a certificate using a Third Party Certificate Authority, AWS Certificate Manager or a self signed certificate like OpenSSL.

* Note: an SSL certificate configured on the ELB is not mandatory if you are terminating SSL connections directly on the App Tier EC2 instances, and using a TCP listener on the ELB (TCP pass-through)
All the application traffic between the Web Tier instances and the App Tier ELB nodes should be encrypted using an SSL\TLS certificate.

Solution

Using the Amazon unified command line interface:

* Adding a HTTPS listener configured with a SSL\TLS certificate (the listener forwards traffic to the backend instances on port 80, but this can be modified by editing InstancePort=80):

aws elb create-load-balancer-listeners --load-balancer-name <app_tier_elb> --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80, SSLCertificateId=<ssl_certificate_arn>

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: amazon_aws

Control ID: a6c8ddc6013a5ba67a67be1ec8edb4e3a5b68a2e2d894c7b436d9de331b50cde