ALB Listening on HTTP
- Query id: 275a3217-ca37-40c1-a6cf-bb57d245ab32
- Query name: ALB Listening on HTTP
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
AWS Application Load Balancer (alb) should not listen on HTTP
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-2a"
CrossZone: true
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTPS
LoadBalancerPort: '443'
Protocol: HTTP
PolicyNames:
- My-SSLNegotiation-Policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
Scheme: internal
HTTPlistener:
Type: "AWS::ElasticLoadBalancingV2::Listener"
Properties:
DefaultActions:
- Type: redirect
LoadBalancerArn: !Ref myLoadBalancer
Port: 80
Protocol: HTTP
Positive test num. 2 - json file
{
"Resources": {
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"CrossZone": true,
"Listeners": [
{
"Protocol": "HTTP",
"PolicyNames": [
"My-SSLNegotiation-Policy"
],
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
"InstancePort": "80",
"InstanceProtocol": "HTTPS",
"LoadBalancerPort": "443"
}
],
"Scheme": "internal",
"AvailabilityZones": [
"us-east-2a"
]
}
},
"HTTPlistener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [
{
"Type": "redirect"
}
],
"LoadBalancerArn": "myLoadBalancer",
"Port": 80,
"Protocol": "HTTP"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z"
}
Positive test num. 3 - yaml file
Resources:
HTTPlistener:
Type: "AWS::ElasticLoadBalancingV2::Listener"
Properties:
DefaultActions:
- Type: "redirect"
RedirectConfig:
Protocol: "HTTPS"
Port: "443"
Host: "#{host}"
Path: "/#{path}"
Query: "#{query}"
StatusCode: "HTTP_301"
LoadBalancerArn: !Ref myLoadBalancer
Port: 80
Protocol: "HTTP"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-2a"
CrossZone: true
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTPS
LoadBalancerPort: '443'
Protocol: HTTPS
PolicyNames:
- My-SSLNegotiation-Policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
Scheme: internal
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"CrossZone": true,
"Listeners": [
{
"Protocol": "HTTPS",
"PolicyNames": [
"My-SSLNegotiation-Policy"
],
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
"InstancePort": "80",
"InstanceProtocol": "HTTPS",
"LoadBalancerPort": "443"
}
],
"Scheme": "internal",
"AvailabilityZones": [
"us-east-2a"
]
}
}
}
}