Skip to main content

More Info:

Ensure that ELB listeners have at least one ACM certificate configured

Risk Level

Medium

Address

Security

Compliance Standards

CBP,RBI_UCB,RBI_MD_ITF

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration of ELB Listeners should have at least one ACM certificate in AWS Elastic Load Balancer using the AWS console, follow these steps:
  1. Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to the AWS Management Console.
  2. Navigate to the EC2 Dashboard: Click on the “Services” dropdown menu at the top left corner of the console, then select “EC2” under the “Compute” section.
  3. Go to the Load Balancers Section: In the EC2 Dashboard, under the “Load Balancing” section in the navigation pane on the left, click on “Load Balancers”.
  4. Select the Load Balancer: Select the ELB for which you want to add an ACM certificate.
  5. Edit Listener: In the Description tab of the selected ELB, click on the “Listeners” tab, then click on the pencil icon to edit the listener configuration.
  6. Add ACM Certificate: In the listener configuration, select the HTTPS protocol, and in the Certificate section, choose “Change” to add an ACM certificate. If you don’t have an ACM certificate, you can request one in the ACM console.
  7. Choose ACM Certificate: Select the ACM certificate that you want to associate with the ELB listener from the dropdown list.
  8. Save Changes: Click on the “Save” button to apply the changes to the ELB listener configuration.
  9. Verify Configuration: After saving the changes, verify that the ACM certificate is successfully associated with the ELB listener by checking the listener configuration.
By following these steps, you can remediate the misconfiguration of ELB listeners not having at least one ACM certificate in AWS Elastic Load Balancer using the AWS console.

To remediate the misconfiguration of ELB Listeners not having at least one ACM certificate in AWS using AWS CLI, follow these steps:
  1. List all the load balancers in your AWS account to identify the affected ELB:
aws elb describe-load-balancers
  1. Get the details of the affected ELB to identify the listeners that do not have ACM certificates associated with them:
aws elb describe-listeners --load-balancer-name YOUR_LOAD_BALANCER_NAME
  1. Identify the listener(s) that do not have an ACM certificate associated with them. Note down the port number of the listener that needs to be updated.
  2. Create or import an ACM certificate in the AWS Certificate Manager (ACM) that you want to associate with the ELB listener.
  3. Get the ARN of the ACM certificate that you want to associate with the ELB listener: 
aws acm list-certificates
  1. Update the listener of the affected ELB to associate it with the ACM certificate using the following command:
aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name YOUR_LOAD_BALANCER_NAME --load-balancer-port LISTENER_PORT --ssl-certificate-id ACM_CERTIFICATE_ARN
Replace YOUR_LOAD_BALANCER_NAME with the name of your ELB, LISTENER_PORT with the port number of the listener that needs to be updated, and ACM_CERTIFICATE_ARN with the ARN of the ACM certificate you want to associate.
  1. Verify that the listener has been updated successfully by describing the listener again:
aws elb describe-listeners --load-balancer-name YOUR_LOAD_BALANCER_NAME
By following these steps, you can remediate the misconfiguration of ELB Listeners not having at least one ACM certificate associated with them in AWS using AWS CLI.
To remediate the misconfiguration of ELB Listeners not having at least one ACM certificate in AWS using Python, you can follow these steps:
  1. Install the necessary Python libraries:
pip install boto3
  1. Use the following Python script to check and attach an ACM certificate to the ELB listener:
import boto3

elb_client = boto3.client('elbv2')

# Specify the ARN of the ACM certificate
acm_certificate_arn = 'YOUR_ACM_CERTIFICATE_ARN'

# Specify the ARN of the ELB
elb_arn = 'YOUR_ELB_ARN'

# Get the list of listeners for the ELB
response = elb_client.describe_listeners(LoadBalancerArn=elb_arn)

# Check if any listener does not have an ACM certificate attached
for listener in response['Listeners']:
    if 'SslPolicy' in listener and 'Certificates' not in listener['SslPolicy']:
        # Attach the ACM certificate to the listener
        elb_client.modify_listener(
            ListenerArn=listener['ListenerArn'],
            Certificates=[
                {
                    'CertificateArn': acm_certificate_arn
                }
            ]
        )
        print(f"ACM certificate attached to listener {listener['ListenerArn']}")
  1. Replace YOUR_ACM_CERTIFICATE_ARN and YOUR_ELB_ARN with the actual ACM certificate ARN and ELB ARN respectively.
  2. Run the Python script to check and attach the ACM certificate to the ELB listener.
By following these steps, you can remediate the misconfiguration of ELB Listeners not having at least one ACM certificate in AWS using Python.