🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 18 Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit

Description

This control checks whether the listener for an Application Load Balancer or Network Load Balancer is configured to use a secure protocol for encryption of data in transit. The control fails if an Application Load Balancer listener isn't configured to use the HTTPS protocol, or a Network Load Balancer listener isn't configured to use the TLS protocol.

To encrypt data that's transmitted between a client and a load balancer, Elastic Load Balancer listeners should be configured to use industry-standard security protocols: HTTPS for Application Load Balancers, or TLS for Network Load Balancers. Otherwise, data that's transmitted between a client and a load balancer is vulnerable to interception, tampering, and unauthorized access. Use of HTTPS or TLS by a listener aligns with security best practices and helps ensure the confidentiality and integrity of data during transmission. This is particularly important for applications that handle sensitive information, or must comply with security standards that require encryption of data in transit.

Remediation

For information about configuring security protocols for listeners, see the following sections of the Elastic Load Balancing User Guides: Create an HTTPS listener for your Application Load Balancer and Create a listener for your Network Load Balancer.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_elb_18

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_elb_18 --share

SQL

This control uses a named query:

with lbs as (
  select
    arn,
    title,
    region,
    account_id,
    tags,
    _ctx,
    'application'::text as lb_type
  from
    aws_ec2_application_load_balancer
  union all
  select
    arn,
    title,
    region,
    account_id,
    tags,
    _ctx,
    'network'::text as lb_type
  from
    aws_ec2_network_load_balancer
), lst as (
   select
    l.arn as listener_arn,
    l.load_balancer_arn as lb_arn,
    l.protocol,
    l.port
  from
    aws_ec2_load_balancer_listener l
), joined as (
  select
    lb.arn as lb_arn,
    lb.title,
    lb.lb_type,
    lb.region,
    lb.account_id,
    lb.tags,
    lb._ctx,
    lst.listener_arn,
    lst.protocol,
    lst.port
  from
    lst join lbs lb on lb.arn = lst.lb_arn
)
select
  listener_arn as resource,
  case
    when lb_type = 'application' and protocol = 'HTTPS' then 'ok'
    when lb_type = 'network' and protocol = 'TLS'   then 'ok'
    else 'alarm'
  end as status,
  case
    when lb_type = 'application' and protocol = 'HTTPS' then title || ' listener ' || port || ' uses HTTPS.'
    when lb_type = 'network' and protocol = 'TLS' then title || ' listener ' || port || ' uses TLS.'
    when lb_type = 'application' then title || ' listener ' || port || ' uses ' || lower(protocol) || ' (expected HTTPS).'
    when lb_type = 'network' then title || ' listener ' || port || ' uses ' || lower(protocol) || ' (expected TLS).'
  end as reason
  
  , region, account_id
from
  joined;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_in_transit
foundational_security_item_id = elb_18
plugin = aws
service = AWS/ELB