AWS Config Rule: ALB HTTP To HTTPS Redirection Check

Description: Checks if HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured. The rule is also NON_COMPLIANT if one of more HTTP listeners have forwarding to an HTTP listener instead of redirection.

Trigger type: Periodic

AWS Region: All supported AWS regions except Asia Pacific (Osaka), Europe (Milan), Africa (Cape Town) Region

To resolve this manually:

Create an HTTP listener rule that redirects HTTP requests to HTTPS

1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
   
2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
   
3. Select a load balancer, and then choose Listeners, Add listener.
   
4. Note: Skip to step 6 if you already have an HTTP listener.
   
5. For Protocol: port, choose HTTP. You can either keep the default port or specify a custom port.
   
6. For Default actions, choose Add action, redirect to, and then enter port 443 (or a different port if you’re not using the default). For more details, see Rule action types. To save, choose the checkmark icon.
   
7. Note: If you created a new HTTP listener following steps 3-5 above, skip to Create an HTTPS listener.
   
8. Select a load balancer, and then choose HTTP Listener.
   
9. Under Rules, choose View/edit rules.
   
10. Choose Edit Rule to modify the existing default rule to redirect all HTTP requests to HTTPS. Or, insert a rule between the existing rules (if appropriate for your use case).
    
11. Under Then, delete the existing condition. Then, add the new condition with the Redirect to action.
    
12. For HTTPS, enter 443 port.
    
13. Keep the default for the remaining options.
    
14. Note: If you want to change the URL or return code, you can modify these options as needed.
    
15. To save, choose the checkmark icon.
    

Create an HTTPS listener

Note: If you already have an HTTPS listener with a rule to forward requests to the respective target group, skip to Verify that the security group of the Application Load Balancer allows traffic on 443.

1. Choose Listeners, Add listener.
   
2. For Protocol: port, choose HTTPS. Keep the default port or specify a custom port.
   
3. For Default actions, choose Add action, Forward to.
   
4. Select a target group that hosts application instances.
   
5. Select a predefined security policy that's best suited for your configuration.
   
6. Choose Default Security Certificate. (If you don’t have one, you can create a security certificate.)
   
7. Choose Save.
   

Verify that the security group of the Application Load Balancer allows traffic on 443

1. Choose the load balancer's Description.
   
2. Under Security, choose Security group ID.
   
3. Verify the inbound rules. The security group must have an inbound rule that permits traffic on HTTP and HTTPS. If there are no inbound rules, complete the following steps to add them.
   

To add inbound rules (if you don't already have them):

1. Choose Actions, Edit Inbound Rules to modify the security group.
   
2. Choose Add rule.
   
3. For Type, choose HTTPS.
   
4. For Source, choose Custom (0.0.0.0/0 or Source CIDR).
   
5. Choose Save.
   

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here