Load balancer endpoint does not enforce HTTPS Affecting ELB service in AWS


Severity

0.0
critical
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Keys and Secrets / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Controls CSA-CCM GDPR HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00311
  • credit Snyk Research Team

Description

The content could be intercepted and manipulated in transit.

How to fix?

Set the load balancer listener protocol attribute to HTTPS or TLS.

Example Configuration

resource "aws_lb_listener" "https" {
  load_balancer_arn = "arn:aws:iam::123456789012:lb"
  port              = "443"
  protocol          = "HTTPS"

  default_action {
    type = "forward"
  }
}