ALB Listening on HTTP

Query id: 275a3217-ca37-40c1-a6cf-bb57d245ab32
Query name: ALB Listening on HTTP
Platform: CloudFormation
Severity: Medium
Category: Networking and Firewall
CWE: 319
URL: Github

Description¶

AWS Application Load Balancer (alb) should not listen on HTTP
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

< Re

Positive test num. 2 - json file

Positive test num. 3 - yaml file

/span>

AWSTemplateFormatVersion: 2010-09-09 sources: MyLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - "us-east-2a" CrossZone: true Listeners: - InstancePort: '80' InstanceProtocol: HTTPS LoadBalancerPort: '443' class="w">            Protocol: HTTP PolicyNames: - My-SSLNegotiation-Policy SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate Scheme: internal HTTPlistener: Type: "AWS::ElasticLoadBalancingV2::Listener" Properties: DefaultActions: - Type: redirect LoadBalancerArn: !Ref myLoadBalancer Port: 80 class="w">            Protocol: HTTP /span>{ "Resources": { "MyLoadBalancer": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": { "CrossZone": true, "Listeners": [ { class="w">            "Protocol": "HTTP", "PolicyNames": [ "My-SSLNegotiation-Policy" ], "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", "InstancePort": "80", "InstanceProtocol": "HTTPS", "LoadBalancerPort": "443" } ], "Scheme": "internal", "AvailabilityZones": [ "us-east-2a" ] } }, "HTTPlistener": { "Type": "AWS::ElasticLoadBalancingV2::Listener", "Properties": { "DefaultActions": [ { "Type": "redirect" } ], "LoadBalancerArn": "myLoadBalancer", "Port": 80, class="w">        "Protocol": "HTTP" } } }, "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" } /span>Resources: HTTPlistener: Type: "AWS::ElasticLoadBalancingV2::Listener" Properties: DefaultActions: - Type: "redirect" RedirectConfig: Protocol: "HTTPS" Port: "443" Host: "#{host}" Path: "/#{path}" Query: "#{query}" StatusCode: "HTTP_301" LoadBalancerArn: !Ref myLoadBalancer Port: 80 class="w">     Protocol: "HTTP"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileAWSTemplateFormatVersion: 2010-09-09
Resources:
    MyLoadBalancer:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
          AvailabilityZones:
          - "us-east-2a"
          CrossZone: true
          Listeners:
          - InstancePort: '80'
            InstanceProtocol: HTTPS
            LoadBalancerPort: '443'
            Protocol: HTTPS
            PolicyNames:
            - My-SSLNegotiation-Policy
            SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
          Scheme: internal

Negative test num. 2 - json file{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties": {
        "CrossZone": true,
        "Listeners": [
          {
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
            "InstancePort": "80",
            "InstanceProtocol": "HTTPS",
            "LoadBalancerPort": "443"
          }
        ],
        "Scheme": "internal",
        "AvailabilityZones": [
          "us-east-2a"
        ]
      }
    }
  }
}