ELBv2 Network Load Balancer has TLS termination enabled
elbv2_nlb_tls_termination_enabled
Network Load Balancers with listeners using the TLS protocol indicate TLS termination at the load balancer. The evaluation identifies NLBs that have at least one TLS listener versus those using plain TCP/UDP or deferring encryption to targets.
Risk
Lack of NLB-level TLS termination can leave transit data unencrypted or managed inconsistently on instances, undermining confidentiality and integrity. It also shifts handshake CPU cost to targets, reducing availability and making them more susceptible to connection floods and downgrade or weak-cipher exposures.
prowler aws --checks elbv2_nlb_tls_termination_enabled
Recommendation
Enable TLS listeners to terminate client encryption at the NLB and enforce centralized, modern cipher policies and certificate rotation. Apply defense in depth by re-encrypting to targets when needed, limit backend access to the NLB, and automate certificate lifecycle with secure storage and monitoring for deprecated protocols.
Remediation
aws elbv2 create-listener --load-balancer-arn <nlb_arn> --protocol TLS --port 443 --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 --certificates CertificateArn=<certificate_arn> --default-actions Type=forward,TargetGroupArn=<target_group_arn>
- In the AWS Console, go to EC2 > Load Balancers and select your Network Load Balancer
- Open the Listeners tab and click Add listener
- Set Protocol to TLS and Port to 443
- Select an ACM certificate and a security policy
- Set Default action to Forward to your target group
- Click Save changes
Source Code
Resource Type
AwsElbv2LoadBalancer