ALB Listening on HTTP

  • Query id: f81d63d2-c5d7-43a4-a5b5-66717a41c895
  • Query name: ALB Listening on HTTP
  • Platform: Ansible
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: 319
  • URL: Github

Description

AWS Application Load Balancer (alb) should not listen on HTTP
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: my_elb_application
  community.aws.elb_application_lb:
    name: myelb
    security_groups:
      - sg-12345678
      - my-sec-group
    subnets:
      - subnet-012345678
      - subnet-abcdef000
    listeners:
      - Protocol: HTTP
        Port: 80
        SslPolicy: ELBSecurityPolicy-2015-05
        Certificates:
          - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com
        DefaultActions:
          - Type: forward
            TargetGroupName: targetname
    state: present
- name: my_elb_application2
  community.aws.elb_application_lb:
    name: myelb2
    security_groups:
      - sg-12345678
      - my-sec-group
    subnets:
      - subnet-012345678
      - subnet-abcdef000
    listeners:
      Port: 80
      SslPolicy: ELBSecurityPolicy-2015-05
      Certificates:
        - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com
      DefaultActions:
        - Type: forward
          TargetGroupName: targetname
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: my_elb_application
  community.aws.elb_application_lb:
    name: myelb
    security_groups:
    - sg-12345678
    - my-sec-group
    subnets:
    - subnet-012345678
    - subnet-abcdef000
    listeners:
    - Protocol: HTTPS
      Port: 80
      SslPolicy: ELBSecurityPolicy-2015-05
      Certificates:
      - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com
      DefaultActions:
      - Type: forward
        TargetGroupName: targetname
    state: present
    # trigger validation