Ensure AWS load balancers use secure listener protocols (HTTPS, SSL/TLS) - AWS Prescriptive Guidance

Ensure AWS load balancers use secure listener protocols (HTTPS, SSL/TLS)

Created by Chandini Penmetsa (AWS) and Purushotham G K (AWS)

Environment: Production

Technologies: Security, identity, compliance

Workload: All other workloads

AWS services: Amazon SNS; AWS CloudFormation; Amazon CloudWatch; AWS Lambda; Elastic Load Balancing (ELB)

Summary

On the Amazon Web Services (AWS) Cloud, Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, IP addresses, and AWS Lambda functions. The load balancers use listeners to define the ports and protocols that the load balancer uses to accept traffic from users. Application Load Balancers make routing decisions at the application layer and use the HTTP/HTTPS protocols. Network Load Balancers make routing decisions at the transport layer and use the Transmission Control Protocol (TCP), Transport Layer Security (TLS), User Datagram Protcol (UDP), or TCP_UDP protocols. Classic Load Balancers make routing decisions at either the transport layer, using TCP or Secure Sockets Layer (SSL) protocols, or at the application layer, using HTTP/HTTPS.

Your organization might have a security or compliance requirement that load balancers accept traffic from users only on secure protocols, such as HTTPS or SSL/TLS.

This pattern provides a security control that uses an Amazon EventBridge rule to monitor the CreateListener and ModifyListener API calls for Application Load Balancers and Network Load Balancers, and the CreateLoadBalancerListeners and CreateLoadBalancer API calls for Classic Load Balancers. If HTTP, TCP/UDP, or TCP_UDP is used for the load balancer's listener protocol, the control invokes a Lambda function. The Lambda function publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic to send a notification that contains the load balancer details.

Prerequisites and limitations

Prerequisites 

  • An active AWS account

  • An email address where you want to receive the violation notification

  • An Amazon Simple Storage Service (Amazon S3) bucket to store the Lambda code .zip file

Limitations 

  • This security control does not check for existing load balancers unless an update is made to the load balancer listeners.

  • This security control is regional and must be deployed in the AWS Regions that you intend to monitor.

Architecture

Target technology stack  

  • Lambda function

  • Amazon SNS topic

  • EventBridge rule

Target architecture 

An EventBridge rule that monitors load balancer API calls and initiates an Amazon SNS notification.

Automation and scale

  • If you are using AWS Organizations, you can use AWS Cloudformation StackSets to deploy this template in multiple accounts that you want this to monitor.

Tools

  • AWS CloudFormation – AWS CloudFormation is a service that helps you model and set up AWS resources by using infrastructure as code.

  • Amazon EventBridge – Amazon EventBridge delivers a stream of real-time data from your own applications, software as a service (SaaS) applications, and AWS services, routing that data to targets such as Lambda functions.

  • AWS Lambda – Lambda supports running code without provisioning or managing servers.

  • Amazon S3 – Amazon Simple Storage Service (Amazon S3) is a highly scalable object storage service that can be used for a wide range of storage solutions, including websites, mobile applications, backups, and data lakes.

  • Amazon SNS – Amazon Simple Notification Service (Amazon SNS) coordinates and manages the delivery or sending of messages between publishers and clients, including web servers and email addresses. Subscribers receive all messages published to the topics to which they subscribe, and all subscribers to a topic receive the same messages.

Best practices

Ensure that the SNS topic used isn’t publicly accessible. For more information, see the AWS documentation.

Epics

TaskDescriptionSkills required

Define the S3 bucket.

On the Amazon S3 console, choose or create an S3 bucket with a unique name that does not contain leading slashes. An S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. Your S3 bucket needs to be in the same Region as the load balancer that is being evaluated.

Cloud Architect

Upload the Lambda code to the S3 bucket.

Upload the Lambda code .zip file that's provided in the "Attachments" section to the defined S3 bucket.

Cloud Architect

Deploy the AWS CloudFormation template.

On the AWS CloudFormation console, in the same AWS Region as the S3 bucket, deploy the template that is provided in the "Attachments" section. In the next epic, provide the values for the parameters.

Cloud Architect
TaskDescriptionSkills required

Name the S3 bucket.

Enter the name of the S3 bucket that you created in the first epic.

Cloud Architect

Provide the Amazon S3 prefix.

Provide the location of the Lambda code .zip file in your S3 bucket, without leading slashes (for example, <directory>/<file-name>.zip).

Cloud Architect

Provide the SNS topic ARN.

Provide the SNS topic Amazon Resource Name (ARN) if you want to use an existing SNS topic for violation notifications. To create a new SNS topic, keep the value as None (the default value).

Cloud Architect

Provide an email address.

Provide an active email address to receive Amazon SNS notifications.

Cloud Architect

Define the logging level.

Define the logging level and frequency for your Lambda function. Info designates detailed informational messages on the application’s progress. Error designates error events that could still allow the application to continue running. Warning designates potentially harmful situations.

Cloud Architect
TaskDescriptionSkills required

Download the template.

Download the CloudFormation template that's provided in the Attachments section.

Cloud architect

Create the stack.

In the same Region as the S3 bucket, navigate to the CloudFormation service console, and deploy the downloaded template. Refer to the previous epic for parameter details.

Cloud architect

Verify the resources.

After the stack is created completely, navigate to the Resources tab, and verify the resources. The template will create the following resources:

  • EventBridge rule

  • Lambda function

  • Lambda execution role

  • Lambda invoke permission

Cloud architect
TaskDescriptionSkills required

Confirm the subscription.

When the template successfully deploys, if a new SNS topic was created, a subscription email message is sent to the email address provided in the parameters. You must confirm this email subscription to receive violation notifications.

Cloud architect

Troubleshooting

IssueSolution

Stack creation failed. Error occurred while GetObject. S3 Error Code: PermanentRedirect. S3 Error Message: The bucket is in this region: xx-xxxx-1. Please use this region to retry the request.

Make sure that the S3 bucket Region and the Region where the stack is being deployed are the same.

Stack creation failed. The runtime parameter of python3.6 is no longer supported for creating or updating AWS Lambda functions.

Update the downloaded template at line 186 from Python version 3.6 to 3.9.

Related resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip