Rule: ELB Application Load Balancers Redirect HTTP to HTTPS
This rule ensures ELB application load balancers redirect HTTP requests to HTTPS for enhanced security.
| Rule | ELB application load balancers should redirect HTTP requests to HTTPS |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
Rule Description:
The application load balancers (ALB) in the Elastic Load Balancing service of AWS should be configured to redirect all HTTP requests to HTTPS for systems that adhere to the FedRAMP Moderate Revision 4 security requirements. This ensures that all communication between clients and the load balancer is encrypted, thus enhancing the security of the system.
Troubleshooting Steps:
If HTTP requests are not being redirected to HTTPS, please follow the troubleshooting steps below:
- 1.
Verify the ALB listeners: Check if the ALB listeners are appropriately configured to accept both HTTP and HTTPS traffic. Ensure that there is a listener for port 80 (HTTP) and port 443 (HTTPS).
- 2.
Check the HTTP to HTTPS rule: Confirm that there is a rule configured on the ALB to redirect incoming HTTP requests to HTTPS. The rule should match the necessary criteria, such as the "HTTP: 80" listener and the redirection action to "HTTPS: 443".
- 3.
Verify the health checks: Make sure that the configured health checks for the ALB are passing for both HTTP and HTTPS traffic. In case of failed health checks, the ALB may not redirect the traffic as expected.
- 4.
Verify security group settings: Check the security group associated with the ALB. Ensure that the inbound rules allow traffic on ports 80 (HTTP) and 443 (HTTPS) from the desired sources such as the internet or your VPC.
- 5.
Check SSL/TLS certificates: Ensure that valid SSL/TLS certificates are uploaded and associated with the ALB listener for HTTPS connections. Without a valid certificate, the ALB may not be able to terminate the SSL/TLS connections successfully.
Necessary Codes:
The following AWS CLI command can be used to create a redirection rule for HTTP to HTTPS on the ALB:
aws elbv2 create-rule \ --listener-arn <listener-arn> \ --priority 1 \ --conditions Field=path-pattern,Values='/*' \ --actions Type=redirect,RedirectConfig="{Protocol='HTTPS',Port='443',StatusCode='HTTP_301'}"
Please note that you need to replace
<listener-arn>Step-by-Step Guide for Remediation:
Follow the steps below to configure the ALB to redirect HTTP requests to HTTPS for systems compliant with FedRAMP Moderate Revision 4:
- 1.
Log in to the AWS Management Console.
- 2.
Go to the EC2 service.
- 3.
In the navigation pane, click on "Load Balancers".
- 4.
Select the application load balancer (ALB) that needs to be configured for redirection.
- 5.
In the "Listeners" tab, add a listener for port 80 (HTTP) if it doesn't exist already. Click on "Add listener" and configure it for port 80.
- 6.
Select the ALB and click on the "Listeners" tab.
- 7.
Edit the HTTPS listener by clicking on the pencil icon next to it.
- 8.
In the "Action" column, choose the "Add action" button and select "Redirect to".
- 9.
Configure the redirect action to point to HTTPS with a status code of "HTTP_301". Verify that the port is set to 443.
- 10.
Save the changes and test the redirection by accessing your application using HTTP. The ALB should automatically redirect to the HTTPS version of the URL.
- 11.
Monitor the ALB's health checks to ensure that both HTTP and HTTPS traffic are passing successfully.
- 12.
If there are any issues, refer to the troubleshooting steps mentioned earlier to identify and resolve the problem.
By following these steps, you can configure the ALB to redirect all HTTP requests to HTTPS for systems compliant with FedRAMP Moderate Revision 4.