Rule: ELB Application and Network Load Balancers SSL Requirement
This rule emphasizes that ELB application and network load balancers should exclusively utilize SSL or HTTPS listeners.
| Rule | ELB application and network load balancers should only use SSL or HTTPS listeners |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Description:
According to the CISA Cyber Essentials guidelines, Elastic Load Balancers (ELB) should only utilize SSL or HTTPS listeners. This rule ensures that all traffic passing through the load balancer is encrypted, enhancing the security and protection of sensitive data.
Troubleshooting Steps:
- 1.Verify Load Balancer Configuration:
- Check the load balancer configuration to confirm that SSL or HTTPS listeners are enabled.
- Ensure that any non-encrypted listeners (HTTP) are disabled or not present.
- 1.Check Listener Settings:
- Verify that SSL certificates are properly configured for SSL or HTTPS listeners.
- Ensure that the correct certificate is being utilized, and it is associated with the appropriate listener.
- Make sure the SSL/TLS protocols and cipher suites are appropriately configured for secure communication.
- 1.Review Security Group Settings:
- Validate that the security groups associated with the load balancer allow appropriate traffic for SSL or HTTPS listeners.
- Confirm that port 443 (HTTPS) is open for inbound traffic.
- 1.Check Backend Server Configuration:
- Ensure that backend servers are configured to handle SSL or HTTPS traffic.
- Verify that the necessary SSL certificates are installed on the backend servers.
- Check that servers are correctly listening on port 443 (or the specified SSL port) and have appropriate firewall rules allowing inbound traffic.
Necessary Codes:
No specific codes are required for this rule. However, configuration changes may be necessary using AWS CLI or AWS Console.
Step-by-Step Guide for Remediation:
- 1.
Open the AWS Management Console and navigate to the EC2 Dashboard.
- 2.
Click on "Load Balancers" in the navigation pane on the left.
- 3.
Choose the ELB (application or network) for which you want to enforce SSL or HTTPS listeners.
- 4.
In the "Listeners" tab, verify that HTTPS or SSL listeners are present, and HTTP listeners are disabled or removed.
- 5.
Ensure that SSL certificates are correctly configured for each HTTPS or SSL listener. If not, follow the certificate installation guidelines provided by the Certificate Authority.
- 6.
Review and adjust SSL/TLS protocols and cipher suites as per your security requirements. Generally, it is recommended to disable insecure protocols (SSLv3, TLSv1.0) and weak ciphers.
- 7.
Confirm that the security groups associated with the load balancer allow incoming traffic on port 443 (HTTPS).
- 8.
Validate that your backend servers are configured to handle SSL or HTTPS traffic. Install SSL certificates on the servers accordingly.
- 9.
Verify that your backend servers are listening on port 443 (or the specified SSL port) and have appropriate firewall rules allowing inbound traffic.
- 10.
Test the load balancer configuration by accessing your application using the load balancer endpoint with HTTPS. Make sure the connection is secure and functioning correctly.
By following these steps, you can ensure that your ELB adheres to the CISA Cyber Essentials policy by only utilizing SSL or HTTPS listeners.