ELB Application Load Balancers Redirect HTTP to HTTPS Rule
This rule ensures that ELB application load balancers redirect HTTP requests to HTTPS for secure communication.
| Rule | ELB application load balancers should redirect HTTP requests to HTTPS |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
This rule ensures that Elastic Load Balancer (ELB) application load balancers redirect all incoming HTTP requests to HTTPS. This is done to comply with the security requirement specified in NIST 800-53 Revision 5.
HTTPS provides secure communication over the internet by encrypting data between the client and the server. By forcing HTTP requests to redirect to HTTPS, the rule helps ensure that all data transmitted through the load balancer is encrypted, reducing the risk of unauthorized access or data breaches.
Troubleshooting Steps (if required)
If the ELB application load balancer is not redirecting HTTP traffic to HTTPS, you can follow these troubleshooting steps:
- 1.
Verify the listener configuration: Check that the listener associated with the load balancer has both HTTP and HTTPS protocols enabled. Ensure that the listener rules are correctly set up to redirect HTTP traffic to HTTPS.
- 2.
Confirm the redirect behavior: Double-check the redirect behavior settings for the load balancer. The load balancer should be configured to perform a 301 or 302 redirect from HTTP to HTTPS. Verify that the redirect action is properly configured in the load balancer's rules.
- 3.
Validate security group settings: Ensure that the security group associated with the load balancer allows inbound traffic on both port 80 (HTTP) and port 443 (HTTPS) from appropriate sources.
- 4.
Review target group health checks: Check the health check configuration for the target group associated with the load balancer. Confirm that the health checks are passing for instances registered with the target group. If the health checks fail, the load balancer may not redirect traffic correctly.
- 5.
Examine SSL certificate configuration: Verify that the SSL certificate is correctly configured and associated with the listener. Ensure that the certificate is valid and covers the domain names to which the load balancer is redirecting.
Necessary Code (if applicable)
No specific code is required for this rule. The configuration of the load balancer and listener rules can be done through the AWS Management Console or using AWS CLI commands.
Remediation Steps
Follow these steps to enforce the HTTP to HTTPS redirection for ELB application load balancers:
- 1.
Open the AWS Management Console and navigate to the EC2 service.
- 2.
Click on "Load Balancers" in the left navigation pane.
- 3.
Select the ELB application load balancer that needs to enforce HTTP to HTTPS redirection.
- 4.
Click on the "Listeners" tab.
- 5.
Locate the listener that is configured with port 80 (HTTP).
- 6.
Click on the "Edit" button next to the HTTP listener.
- 7.
In the "Redirect Action" section, select "Redirect to" and choose HTTPS from the dropdown menu.
- 8.
Choose the appropriate options for the "Status code" and "Redirect method" fields. (Typically, a 301 redirect with the GET method is recommended for permanent redirection.)
- 9.
Click on the "Add action" button to add the redirect action.
- 10.
Ensure that the HTTPS listener is properly configured with the appropriate SSL certificate and target group.
- 11.
Click on the "Save" button to apply the changes.
Once the changes are saved, the ELB application load balancer will redirect all HTTP requests to HTTPS automatically. Make sure to test the redirection to ensure it is working as expected.
Note
Always consider testing the rule after making any changes to the configuration to validate that the redirection is functioning correctly.