1.14 Ensure App Tier ELB is using HTTPS listener

Information

A load balancer takes requests from clients and distributes them across the EC2 instances that are registered with the load balancer (also known as back-end instances).

A listener is a process that checks for connection requests. It is configured with a protocol and a port for front-end (client to load balancer) connections.

* Note: an HTTPS listener configured on the ELB is not mandatory if you are terminating SSL connections directly on the App Tier EC2 instances, and using a TCP listener on the ELB (TCP pass-through)
Using an HTTPS Elastic Load Balancer listener will make sure the application traffic between the client and the App Tier ELB is encrypted over the SSL\TLS channel.

Solution

Using the Amazon unified command line interface:

* If the ListenerDescription field is missing, add a new HTTPS listener configured with a SSL\TLS certificate (the listener forwards traffic to the backend instances on port 80, but this can be modified by editing InstancePort=80):

aws elb create-load-balancer-listeners --load-balancer-name <app_tier_elb> --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80, SSLCertificateId=<ssl_certificate_arn>

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3(1)

Plugin: amazon_aws

Control ID: c0fc387f0cf0720b2cf4b8d53101c0c92e0395b627065bf117b14d46059216cc