Rule: ELB Application Load Balancers Redirect HTTP to HTTPS

This rule ensures ELB application load balancers properly redirect HTTP requests to HTTPS for enhanced security.

Rule	ELB application load balancers should redirect HTTP requests to HTTPS
Framework	NIST 800-53 Revision 5
Severity	✔ Medium

ELB Application Load Balancers HTTP to HTTPS Redirection for NIST 800-53 Rev 5

Under NIST 800-53 Revision 5 for secure communication protocols, it's recommended to enforce encrypted sessions for all web traffic by redirecting HTTP requests to HTTPS. This increases security by ensuring data in transit is encrypted and protects against eavesdropping and man-in-the-middle attacks. This guide provides details on implementing mandatory HTTP to HTTPS redirection on AWS Elastic Load Balancing (ELB) using Application Load Balancers (ALBs).

Rule Description

AWS ELB Application Load Balancers should be configured to redirect all incoming HTTP (port 80) requests to HTTPS (port 443) to ensure secure communication. This not only aligns with industry standards for security but also complies with NIST 800-53 Rev 5 requirements for maintaining the confidentiality and integrity of information.

Troubleshooting Steps

If your Application Load Balancer is not redirecting HTTP requests to HTTPS as expected, follow these troubleshooting steps:

1.
Check Listener Configuration: Verify that the ALB has an HTTP listener configured to handle port 80 traffic and that it is set up to redirect to HTTPS.

2.
Review Redirection Rules: Ensure the rules for redirection are correctly configured with the right action type and conditions.

3.
Verify Security Groups and Network ACLs: Confirm that the security groups and network ACLs associated with the ALB allow traffic on both ports 80 and 443.

4.
Check SSL Certificate: Ensure that there is a valid SSL certificate attached to the HTTPS listener and the certificate matches the domain name being used.

5.
Inspect DNS Records: Make sure the DNS setup routes the traffic to the correct ALB.

Necessary Codes and CLI Commands

To implement the redirection via AWS Management Console or AWS CLI, follow these steps:

AWS Management Console Steps:

1.
Create HTTPS Listener:
- Navigate to EC2 Service.
- In the left navigation pane, click on 'Load Balancers'.
- Select your ALB.
- Under the Listeners tab, check for an HTTPS listener on port 443. If not present, create one and attach an SSL certificate.

2.
Set Up Redirection:
- Click on 'Add listener' for HTTP listener (port 80).
- Click 'View/edit rules' for the default rule under Actions.
- Click on '+' to add a rule.
- Choose 'Add condition' and select 'Path pattern'.
- Choose 'Add action', select 'Redirect to...'
- Make sure to set Protocol to HTTPS, Port to 443, and set the status code to HTTP 301.
- Save the rules.

AWS CLI Commands:

You can create a redirect rule using the AWS CLI with the following command:

aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer --listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80" --default-actions Type=redirect,TargetGroupArn=<Your Target Group ARN>,Protocol=HTTPS,Port=443,Query=action=redirect&redirect_uri=#{protocol}://#{host}:#{port}/#{path}?#{query}

Replace

<Your Target Group ARN>

with your actual Target Group Amazon Resource Name.

Make sure to configure the AWS CLI with the appropriate credentials and default region.

Step by Step Guide for Remediation

To enforce HTTP to HTTPS redirection, there are specific steps you should take:

1.
Log in to the AWS Management Console.

2.
Go to the EC2 service and select “Load Balancers” from the navigation pane.

3.
Choose your Application Load Balancer from the list.

4.
Under the “Listeners” tab, verify if there is an HTTPS listener. If not, create one by clicking 'Add listener' and selecting HTTPS (port 443) and attaching a valid SSL certificate.

5.
For the HTTP listener (port 80), set up a redirection rule:
- Click on ‘View/edit rules’ next to the listener.
- Add a new rule to redirect all requests (path pattern =
  /*
  ) to HTTPS (port 443).
- Apply the redirection by setting a 301 redirection status code (HTTP 301 Moved Permanently).

By following these guidelines, you’ll ensure that your Application Load Balancer is aligned with NIST 800-53 Revision 5 recommendations and has improved security by redirecting all HTTP traffic to HTTPS. This configuration not only helps in SEO improvements by signaling search engines that your website uses secure connections but also provides a better user experience by automatically directing users to a secure protocol.

Rule: ELB Application Load Balancers Redirect HTTP to HTTPS

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Description

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes and CLI Commands

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}AWS Management Console Steps:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}AWS CLI Commands:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step by Step Guide for Remediation

Is your System Free of Underlying Vulnerabilities? Find Out Now