Control: 18 Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit
Description
This control checks whether the listener for an Application Load Balancer or Network Load Balancer is configured to use a secure protocol for encryption of data in transit. The control fails if an Application Load Balancer listener isn't configured to use the HTTPS protocol, or a Network Load Balancer listener isn't configured to use the TLS protocol.
To encrypt data that's transmitted between a client and a load balancer, Elastic Load Balancer listeners should be configured to use industry-standard security protocols: HTTPS for Application Load Balancers, or TLS for Network Load Balancers. Otherwise, data that's transmitted between a client and a load balancer is vulnerable to interception, tampering, and unauthorized access. Use of HTTPS or TLS by a listener aligns with security best practices and helps ensure the confidentiality and integrity of data during transmission. This is particularly important for applications that handle sensitive information, or must comply with security standards that require encryption of data in transit.
Remediation
For information about configuring security protocols for listeners, see the following sections of the Elastic Load Balancing User Guides: Create an HTTPS listener for your Application Load Balancer and Create a listener for your Network Load Balancer.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_elb_18
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_elb_18 --share
SQL
This control uses a named query:
with lbs as ( select arn, title, region, account_id, tags, _ctx, 'application'::text as lb_type from aws_ec2_application_load_balancer union all select arn, title, region, account_id, tags, _ctx, 'network'::text as lb_type from aws_ec2_network_load_balancer), lst as ( select l.arn as listener_arn, l.load_balancer_arn as lb_arn, l.protocol, l.port from aws_ec2_load_balancer_listener l), joined as ( select lb.arn as lb_arn, lb.title, lb.lb_type, lb.region, lb.account_id, lb.tags, lb._ctx, lst.listener_arn, lst.protocol, lst.port from lst join lbs lb on lb.arn = lst.lb_arn)select listener_arn as resource, case when lb_type = 'application' and protocol = 'HTTPS' then 'ok' when lb_type = 'network' and protocol = 'TLS' then 'ok' else 'alarm' end as status, case when lb_type = 'application' and protocol = 'HTTPS' then title || ' listener ' || port || ' uses HTTPS.' when lb_type = 'network' and protocol = 'TLS' then title || ' listener ' || port || ' uses TLS.' when lb_type = 'application' then title || ' listener ' || port || ' uses ' || lower(protocol) || ' (expected HTTPS).' when lb_type = 'network' then title || ' listener ' || port || ' uses ' || lower(protocol) || ' (expected TLS).' end as reason , region, account_idfrom joined;