AWS Elastic Load Balancing (ELB)
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. AWS Elastic Load Balancing (ELB)

      ELB Without SSL Termination

      Risk Level: Medium

      Description: 

      This plugin ensures that SSL certificates are set on Load Balancers for SSL terminations. SSL termination, also known as SSL offloading, decrypts and validates data on the load balancer rather than the application server, allowing the server to focus on other activities such as loading web pages. This aids in increasing the speed of the server.

      PingSafe strongly recommends attaching an SSL certificate with the listener to AWS Elastic Load Balancer.

      About the Service :

      The Amazon ECS service may be configured to employ Elastic Load Balancing to uniformly distribute traffic among your service's jobs. The transport layer (TCP/SSL) or the application layer (HTTP/HTTPS) are where a Classic Load Balancer makes routing choices. A fixed relationship between the load balancer port and the container instance port is presently required by traditional load balancers.

      Impact : 

      The absence of SSL termination configuration can add up a lot of tasks that the server should perform which in turn decreases the speed of the server.

      Steps to reproduce :

      1. Login to your AWS Management Console.
      2. Navigate to the EC2 console.
        https://ap-south-1.console.aws.amazon.com/ec2/ 
      3. Click on Load Balancers under Load Balancing.
      4. Select the load balancer that you want to examine.
      5. In the Listeners tab, check if an SSL certificate is available or not. 
      6. Since they are not present this suggests that the ELB does not have SSL Termination Configured.
      7. Repeat steps for other EC2 load balancers as well. 

      Steps for remediation :

      1. Login to your AWS Management Console.
      2. Navigate to the EC2 console.
        https://ap-south-1.console.aws.amazon.com/ec2/ 
      3. Click on Load Balancers under Load Balancing.
      4. Select the load balancer that you want to examine.
      5. In the Listeners tab, check if the SSL certificate is available or not. 
      6. Since they are not present this suggests that the ELB does not have SSL Termination Configured.
      7. We will create a new listener by clicking on the Add Listener button.
      8. We will then fill in the necessary information of the listener and including the SSL certificate ID and click Add.
      9. Repeat steps for other EC2 load balancers as well. 

      References: