ELBv1 listener protocol is set to http Affecting ELB service in AWS

Severity Framework Snyk CCSS

Rule category Data / Encryption in Transit

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-Controls CSA-CCM GDPR HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00150
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Communication with an Elastic Load Balancing (ELB) should be encrypted to help prevent unauthorized access to data. To protect data in transit, ELB listener protocol should not be set to HTTP.

How to fix?

Set the listener.lb_protocol attribute to https.

Example Configuration

resource "aws_elb" "web" {
  name            = "tf-test-elb"
  subnets         = ["${aws_subnet.tf_test_subnet.id}"]
  security_groups = ["${aws_security_group.elb.id}"]

  listener {
    instance_port      = 8000
    instance_protocol  = "http"
    lb_port            = 443
    lb_protocol        = "https"
    ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}"
  }

  health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 2
    timeout             = 3
    target              = "HTTP:80/"
    interval            = 30
  }


  cross_zone_load_balancing   = true
  idle_timeout                = 400
  connection_draining         = true
  connection_draining_timeout = 400
}

Terraform

Resource: aws_elb

References

Configure an HTTPS listener for your Classic Load Balancer