CRITICAL
Source
Trivy/CSPM
CSPM ID
elb-https-only
ID
AVD-AWS-0054

Use of plain HTTP.

Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.

You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.

Impact

Your traffic is not protected

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for EC2. Step
  3. In the “EC2 Dashboard” scroll down and look for “Load Balancers” and click on “Load Balancers” to get into “Load Balancers” dashboard.Step
  4. Select the “Load Balancer” which needs to be verified. Step
  5. Select the “Listeners” tab from the bottom panel and scroll down to the “Load Balancer Protocol” column. Check for “HTTP” under “Instance Protocol”. Step
  6. On the “Listeners” tab scroll down and click on the “Edit” button to remove non-HTTPS listeners.Step
  7. On “Edit listers” tab remove non-HTTPS listeners by clicking on cross icon at the extreme right and click on the “Save” button to make the necessary changes. Step
  8. ELBs are now configured to only accept the connection on HTTPS ports.

Switch to HTTPS to benefit from TLS security features

1
2
3
resource "aws_alb_listener" "good_example" {
  protocol = "HTTPS"
}