Ensure ALB protocol is HTTPS

ID

alb_uses_https

Severity

high

Vendor

AWS

Resource

ALB

Tags

reachable

Description

Elastic Application Load Balancer (ALB) automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones.

It monitors the health of its registered targets, and routes traffic only to the healthy targets. Elastic Load Balancing scales your load balancer as your incoming traffic changes over time. It can also automatically scale to the vast majority of workloads.

AWS ALB should use HTTPS listeners to avoid attacks like man-in-the-middle between the web clients.

Examples

CloudFormation

{
  "Resources": {
    "ListenerHTTPS": {
      "Type": "AWS::ElasticLoadBalancingV2::Listener",
      "Properties": {
        "Certificates": [
          {
            "CertificateArn": {
              "Ref": "Certificate"
            }
          }
        ],
        "LoadBalancerArn": {
          "Ref": "LoadBalancer"
        },
        "Port": 80,
        "Protocol": "HTTP" (1)
        "DefaultActions": [
          {
            "Type": "forward",
            "TargetGroupArn": {
              "Ref": "DefaultTargetGroup"
            }
          }
        ]
      }
    }
  }
}
1 Protocol set to HTTP means HTTPS is not used. 
Resources:
  ListenerHTTPS:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      Certificates:
        - CertificateArn: !Ref Certificate
      LoadBalancerArn: !Ref LoadBalancer
      Port: 80
      Protocol: HTTP (1)
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref DefaultTargetGroup
1 Protocol set to HTTP means HTTPS is not used.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "ListenerHTTPS": {
      "Type": "AWS::ElasticLoadBalancingV2::Listener",
      "Properties": {
        "Certificates": [
          {
            "CertificateArn": {
              "Ref": "Certificate"
            }
          }
        ],
        "LoadBalancerArn": {
          "Ref": "LoadBalancer"
        },
        "Port": 443,
        "Protocol": "HTTPS", (1)
        "DefaultActions": [
          {
            "Type": "forward",
            "TargetGroupArn": {
              "Ref": "DefaultTargetGroup"
            }
          }
        ]
      }
    }
  }
}
1 Protocol set to HTTPS means HTTPS is used. 
Resources:
  ListenerHTTPS:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      Certificates:
        - CertificateArn: !Ref Certificate
      LoadBalancerArn: !Ref LoadBalancer
      Port: 443
      Protocol: HTTPS (1)
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref DefaultTargetGroup
1 Protocol set to HTTPS means HTTPS is used.