ELBv1 listener protocol is set to http Affecting ELB service in AWS


Severity

0.0
critical
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Data / Encryption in Transit

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    AWS-Well-Architected CIS-Controls CSA-CCM GDPR HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00150
  • credit Snyk Research Team

Description

Communication with an Elastic Load Balancing (ELB) should be encrypted to help prevent unauthorized access to data. To protect data in transit, ELB listener protocol should not be set to HTTP.

How to fix?

Set the listener.lb_protocol attribute to https.

Example Configuration

resource "aws_elb" "web" {
  name            = "tf-test-elb"
  subnets         = ["${aws_subnet.tf_test_subnet.id}"]
  security_groups = ["${aws_security_group.elb.id}"]

  listener {
    instance_port      = 8000
    instance_protocol  = "http"
    lb_port            = 443
    lb_protocol        = "https"
    ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}"
  }

  health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 2
    timeout             = 3
    target              = "HTTP:80/"
    interval            = 30
  }


  cross_zone_load_balancing   = true
  idle_timeout                = 400
  connection_draining         = true
  connection_draining_timeout = 400
}

Terraform