Control: 1 Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
Description
This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured.
Before you start to use your Application Load Balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners support both the HTTP and HTTPS protocols. You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer. To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443.
Remediation
To remediate this issue, you redirect HTTP request to HTTPS.
To redirect HTTP requests to HTTPS on an Application Load Balancer
- Open the Amazon EC2 console.
- On the navigation pane, under
LOAD BALANCING, chooseLoad Balancers. - Choose an Application Load Balancer.
- Choose
Listeners. - Select the check box for an HTTP listener (port 80 TCP) and then choose
Edit. - If there is an existing rule, you must delete it. Otherwise, choose
Add actionand then chooseRedirect to.... - Choose
HTTPSand then enter443. - Choose the check mark in a circle symbol and then choose
Update.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_elb_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_elb_1 --shareSQL
This control uses a named query:
elb_application_lb_redirect_http_request_to_https