Verify that ELB load balancers require TLS termination - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsArchitectureToolsEpicsRelated resourcesAttachments

Verify that ELB load balancers require TLS termination

Created by Priyanka Chaudhary (AWS)

Summary

On the Amazon Web Services (AWS) Cloud, Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, IP addresses, and AWS Lambda functions. The load balancers use listeners to define the ports and protocols that the load balancer uses to accept traffic from users. Application Load Balancers make routing decisions at the application layer and use the HTTP/HTTPS protocols. Classic Load Balancers make routing decisions at either the transport layer, by using TCP or Secure Sockets Layer (SSL) protocols, or at the application layer, by using HTTP/HTTPS.

This pattern provides a security control that examines multiple event types for Application Load Balancers and Classic Load Balancers. When the function is invoked, AWS Lambda inspects the event and ensures that the load balancer is compliant.

The function initiates an Amazon CloudWatch Events event on the following API calls: CreateLoadBalancer, CreateLoadBalancerListeners, DeleteLoadBalancerListeners, CreateLoadBalancerPolicy, SetLoadBalancerPoliciesOfListener, CreateListener, DeleteListener, and ModifyListener. When the event detects one of these APIs, it calls AWS Lambda, which runs a Python script. The Python script evaluates to see if the listener contains an SSL certificate, and if the policy that is applied is using Transport Layer Security (TLS). If the SSL policy is determined to be anything other than TLS, the function sends an Amazon Simple Notification Service (Amazon SNS) notification to the user with the relevant information. 

Prerequisites and limitations

Prerequisites 

  • An active AWS account

Limitations 

  • This security control does not check for existing load balancers, unless an update is made to the load balancer listeners.

  • This security control is regional. You must deploy it in each AWS Region you want to monitor.

Architecture

Target architecture

Ensuring that load balancers require TLS termination.

Automation and scale

Tools

AWS services

  • AWS CloudFormation – AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually.

  • Amazon CloudWatch Events – Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources.

  • AWS Lambda – AWS Lambda is a compute service that supports running code without provisioning or managing servers.

  • Amazon S3 – Amazon Simple Storage Service (Amazon S3) is a highly scalable object storage service that can be used for a wide range of storage solutions, including websites, mobile applications, backups, and data lakes.

  • Amazon SNS – Amazon Simple Notification Service (Amazon SNS) coordinates and manages the delivery or sending of messages between publishers and clients, including web servers and email addresses. Subscribers receive all messages published to the topics to which they subscribe, and all subscribers to a topic receive the same messages.

Code

This pattern includes the following attachments:

  • ELBRequirestlstermination.zip – The Lambda code for the security control.

  • ELBRequirestlstermination.yml – The CloudFormation template that sets up the event and Lambda function.

Epics

TaskDescriptionSkills required

Define the S3 bucket.

On the Amazon S3 console, choose or create an S3 bucket to host the Lambda code .zip file. This S3 bucket must be in the same AWS Region as the load balancer that you want to evaluate. An S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. The S3 bucket name cannot include leading slashes.

Cloud architect

Upload the Lambda code.

Upload the Lambda code (ELBRequirestlstermination.zip file) that's provided in the Attachments section to the S3 bucket.

Cloud architect
TaskDescriptionSkills required

Launch the AWS CloudFormation template.

Open the AWS CloudFormation console in the same AWS Region as your S3 bucket and deploy the attached template ELBRequirestlstermination.yml. For more information about deploying AWS CloudFormation templates, see Creating a stack on the AWS CloudFormation console in the CloudFormation documentation.

Cloud architect

Complete the parameters in the template.

When you launch the template, you'll be prompted for the following information:

  • S3 bucket: Specify the bucket that you created or selected in the first epic. This is where you uploaded the attached Lambda code (ELBRequirestlstermination.zip file).

  • S3 key: Specify the location of the Lambda .zip file in your S3 bucket (for example, ELBRequirestlstermination.zip or controls/ELBRequirestlstermination.zip). Do not include leading slashes.

  • Notification email: Provide an active email address where you want to receive Amazon SNS notifications.

  • Lambda logging level: Specify the logging level and frequency for the Lambda function. Use Info to log detailed informational messages on progress, Error for error events that would still allow the deployment to continue, and Warning for potentially harmful situations.

Cloud architect
TaskDescriptionSkills required

Confirm the subscription.

When the CloudFormation template deploys successfully, it sends a subscription email to the email address you provided. You must confirm this email subscription to start receiving violation notifications.

Cloud architect

Related resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip