ALB Listening on HTTP
- Query id: de7f5e83-da88-4046-871f-ea18504b1d43
- Query name: ALB Listening on HTTP
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
AWS Application Load Balancer (alb) should not listen on HTTP
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_lb_listener" "listener5" {
load_balancer_arn = aws_lb.test3.arn
port = 80
default_action {
type = "redirect"
redirect {
port = "80"
protocol = "HTTP"
status_code = "HTTP_301"
}
}
}
resource "aws_lb" "test3" {
name = "test123"
load_balancer_type = "application"
subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
internal = true
}
Positive test num. 2 - tf file
provider "aws" {
profile = "default"
region = "us-west-2"
}
data "aws_availability_zones" "available" {
state = "available"
}
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_vpc" "vpc1" {
cidr_block = "10.10.0.0/16"
}
resource "aws_subnet" "subnet1" {
vpc_id = aws_vpc.vpc1.id
cidr_block = "10.10.10.0/24"
availability_zone_id = data.aws_availability_zones.available.zone_ids[0]
tags = {
Name = "subnet1"
}
}
resource "aws_subnet" "subnet2" {
vpc_id = aws_vpc.vpc1.id
cidr_block = "10.10.11.0/24"
availability_zone_id = data.aws_availability_zones.available.zone_ids[1]
tags = {
Name = "subnet2"
}
}
resource "aws_lb" "test" {
name = "test123"
load_balancer_type = "application"
subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
internal = true
}
resource "aws_lb_target_group" "test" {
port = 80
protocol = "HTTP"
target_type = "instance"
vpc_id = aws_vpc.vpc1.id
}
resource "aws_default_security_group" "dsg" {
vpc_id = aws_vpc.vpc1.id
}
resource "aws_lb_listener" "listener" {
load_balancer_arn = aws_lb.test.arn
port = 80
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.test.arn
}
}
resource "aws_lb_target_group_attachment" "attach1" {
target_group_arn = aws_lb_target_group.test.arn
target_id = aws_instance.inst1.id
port = 80
}
resource "aws_instance" "inst1" {
vpc_security_group_ids = [aws_default_security_group.dsg.id]
subnet_id = aws_subnet.subnet1.id
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
}
resource "aws_lb_target_group_attachment" "attach2" {
target_group_arn = aws_lb_target_group.test.arn
target_id = aws_instance.inst2.id
port = 80
}
resource "aws_instance" "inst2" {
vpc_security_group_ids = [aws_default_security_group.dsg.id]
subnet_id = aws_subnet.subnet1.id
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
}
resource "aws_lb_target_group_attachment" "attach3" {
target_group_arn = aws_lb_target_group.test.arn
target_id = aws_instance.inst3.id
port = 80
}
resource "aws_instance" "inst3" {
vpc_security_group_ids = [aws_default_security_group.dsg.id]
subnet_id = aws_subnet.subnet1.id
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_lb_listener" "listener55" {
load_balancer_arn = aws_lb.test33.arn
port = 80
default_action {
type = "redirect"
redirect {
port = "80"
protocol = "HTTPS"
status_code = "HTTPS_301"
}
}
}
resource "aws_lb" "test33" {
name = "test123"
load_balancer_type = "application"
subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
internal = true
}
Negative test num. 2 - tf file
provider "aws2" {
profile = "default"
region = "us-west-2"
}
data "aws_availability_zones" "available2" {
state = "available"
}
data "aws_ami" "ubuntu2" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_vpc" "vpc1" {
cidr_block = "10.10.0.0/16"
}
resource "aws_subnet" "subnet12" {
vpc_id = aws_vpc.vpc1.id
cidr_block = "10.10.10.0/24"
availability_zone_id = data.aws_availability_zones.available2.zone_ids[0]
tags = {
Name = "subnet1"
}
}
resource "aws_subnet" "subnet22" {
vpc_id = aws_vpc.vpc1.id
cidr_block = "10.10.11.0/24"
availability_zone_id = data.aws_availability_zones.available2.zone_ids[1]
tags = {
Name = "subnet2"
}
}
resource "aws_lb" "test2" {
name = "test123"
load_balancer_type = "application"
subnets = [aws_subnet.subnet12.id, aws_subnet.subnet22.id]
internal = true
}
resource "aws_lb_target_group" "test2" {
port = 80
protocol = "HTTP"
target_type = "instance"
vpc_id = aws_vpc.vpc1.id
}
resource "aws_default_security_group" "dsg2" {
vpc_id = aws_vpc.vpc1.id
}
resource "aws_lb_listener" "listener2" {
load_balancer_arn = aws_lb.test2.arn
protocol = "HTTPS"
port = 80
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.test2.arn
}
}
resource "aws_lb_target_group_attachment" "attach12" {
target_group_arn = aws_lb_target_group.test2.arn
target_id = aws_instance.inst12.id
port = 80
}
resource "aws_instance" "inst12" {
vpc_security_group_ids = [aws_default_security_group.dsg2.id]
subnet_id = aws_subnet.subnet12.id
ami = data.aws_ami.ubuntu2.id
instance_type = "t3.micro"
}
resource "aws_lb_target_group_attachment" "attach22" {
target_group_arn = aws_lb_target_group.test2.arn
target_id = aws_instance.inst22.id
port = 80
}
resource "aws_instance" "inst22" {
vpc_security_group_ids = [aws_default_security_group.dsg2.id]
subnet_id = aws_subnet.subnet12.id
ami = data.aws_ami.ubuntu2.id
instance_type = "t3.micro"
}
resource "aws_lb_target_group_attachment" "attach32" {
target_group_arn = aws_lb_target_group.test2.arn
target_id = aws_instance.inst32.id
port = 80
}
resource "aws_instance" "inst32" {
vpc_security_group_ids = [aws_default_security_group.dsg2.id]
subnet_id = aws_subnet.subnet12.id
ami = data.aws_ami.ubuntu2.id
instance_type = "t3.micro"
}