turbot/steampipe-mod-aws-compliance

Control: 18 Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit

Description

This control checks whether the listener for an Application Load Balancer or Network Load Balancer is configured to use a secure protocol for encryption of data in transit. The control fails if an Application Load Balancer listener isn't configured to use the HTTPS protocol, or a Network Load Balancer listener isn't configured to use the TLS protocol.

To encrypt data that's transmitted between a client and a load balancer, Elastic Load Balancer listeners should be configured to use industry-standard security protocols: HTTPS for Application Load Balancers, or TLS for Network Load Balancers. Otherwise, data that's transmitted between a client and a load balancer is vulnerable to interception, tampering, and unauthorized access. Use of HTTPS or TLS by a listener aligns with security best practices and helps ensure the confidentiality and integrity of data during transmission. This is particularly important for applications that handle sensitive information, or must comply with security standards that require encryption of data in transit.

Remediation

For information about configuring security protocols for listeners, see the following sections of the Elastic Load Balancing User Guides: Create an HTTPS listener for your Application Load Balancer and Create a listener for your Network Load Balancer.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_elb_18

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_elb_18 --share

SQL

This control uses a named query:

with lbs as (
select
arn,
title,
region,
account_id,
tags,
_ctx,
'application'::text as lb_type
from
aws_ec2_application_load_balancer
union all
select
arn,
title,
region,
account_id,
tags,
_ctx,
'network'::text as lb_type
from
aws_ec2_network_load_balancer
), lst as (
select
l.arn as listener_arn,
l.load_balancer_arn as lb_arn,
l.protocol,
l.port
from
aws_ec2_load_balancer_listener l
), joined as (
select
lb.arn as lb_arn,
lb.title,
lb.lb_type,
lb.region,
lb.account_id,
lb.tags,
lb._ctx,
lst.listener_arn,
lst.protocol,
lst.port
from
lst join lbs lb on lb.arn = lst.lb_arn
)
select
listener_arn as resource,
case
when lb_type = 'application' and protocol = 'HTTPS' then 'ok'
when lb_type = 'network' and protocol = 'TLS' then 'ok'
else 'alarm'
end as status,
case
when lb_type = 'application' and protocol = 'HTTPS' then title || ' listener ' || port || ' uses HTTPS.'
when lb_type = 'network' and protocol = 'TLS' then title || ' listener ' || port || ' uses TLS.'
when lb_type = 'application' then title || ' listener ' || port || ' uses ' || lower(protocol) || ' (expected HTTPS).'
when lb_type = 'network' then title || ' listener ' || port || ' uses ' || lower(protocol) || ' (expected TLS).'
end as reason
, region, account_id
from
joined;

Tags