Detections
Analytics

Ensure one target group is configured to listen on HTTPS for AWS Load Balancer

HIGH

Description

Not configuring AWS Load balancer to have one target group listening on HTTPS ensures end-to-end encryption is not enabled. This could impact the confidentiality of data in transit.

Remediation

In the console, a target group's protocol can only be set upon creation. To change the protocol, simply create a new target group and add the targets to that group. Once the configuration is complete, associate with the appropriate load balancer.

In AWS Console -

  1. Sign in to the AWS Console and open the EC2 Console.
  2. Under Load Balancing, select Target Groups.
  3. Follow the steps in the wizard to create a new target group with HTTPS set as the protocol.

In Terraform -

  1. In the aws_lb_target_group resource, set the protocol to https.

References:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-target-group.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group

Policy Details

Rule Reference ID: AC_AWS_0453
CSP: AWS
Remediation Available: Yes
Domain: Infrastructure Security
Resource: aws_lb_target_group
Resource Category: Virtual Network
Resource Type: Load Balancer

Frameworks