Control: 3 Classic Load Balancer listeners should be configured with HTTPS or TLS termination
This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings.
The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections.
The control fails if the listener is not configured with TLS or HTTPS for front-end connections.
Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit.
To remediate this issue, update your listeners to use the TLS or HTTPS protocol.
To change all noncompliant listeners to TLS/HTTPS listeners
- Open the Amazon EC2 console.
- In the navigation pane, choose
Load Balancers. Then choose your Classic Load Balancer.
- Choose the
Listenerstab, and then choose
- For all listeners where Load Balancer Protocol is not set to HTTPS or SSL, change the setting to HTTPS or SSL.
- For all modified listeners, under
SSL Certificate, choose
- For all modified listeners, select
Choose a certificate from ACM.
- Select the certificate from the
Certificatesdrop-down list. Then choose
- After you update all of the listeners, choose
steampipe check aws_compliance.control.foundational_security_elb_3
This control uses a named query:elb_classic_lb_use_tls_https_listeners