🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 2 Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

Description

This control checks whether the Classic Load Balancer uses HTTPS/SSL certificates provided by AWS Certificate Manager (ACM). The control fails if the Classic Load Balancer configured with HTTPS/SSL listener does not use a certificate provided by ACM.

To create a certificate, you can use either ACM or a tool that supports the SSL and TLS protocols, such as OpenSSL. Security Hub recommends that you use ACM to create or import certificates for your load balancer.

ACM integrates with Classic Load Balancers so that you can deploy the certificate on your load balancer. You also should automatically renew these certificates.

Remediation

For information about how to associate an ACM SSL/TLS certificate with a Classic Load Balancer, see the AWS Knowledge Center article How can I associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer?

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_elb_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_elb_2 --share

SQL

This control uses a named query:

with detailed_classic_listeners as (
  select
    name
  from
    aws_ec2_classic_load_balancer,
    jsonb_array_elements(listener_descriptions) as listener_description
  where
    listener_description -> 'Listener' ->> 'Protocol' in ('HTTPS', 'SSL', 'TLS')
    and listener_description -> 'Listener' ->> 'SSLCertificateId' like 'arn:aws:acm%'
)
select
  'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id || ':loadbalancer/' || a.name as resource,
  case
    when a.listener_descriptions is null then 'skip'
    when b.name is not null then 'alarm'
    else 'ok'
  end as status,
  case
    when a.listener_descriptions is null then a.title || ' has no listener.'
    when b.name is not null then a.title || ' does not use certificates provided by ACM.'
    else a.title || ' uses certificates provided by ACM.'
  end as reason
  
  , region, account_id
from
  aws_ec2_classic_load_balancer as a
  left join detailed_classic_listeners as b on a.name = b.name;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_in_transit
foundational_security_item_id = elb_2
plugin = aws
service = AWS/ELB