ELBv2 Application Load Balancer listeners use HTTPS or redirect HTTP to HTTPS
elbv2_ssl_listeners
Application Load Balancer listeners are assessed for encrypted ingress: either only HTTPS listeners are present, or any HTTP listener redirects to HTTPS.
Risk
Exposed HTTP paths allow traffic to travel in plaintext, enabling interception, credential theft, session hijacking, and response tampering. This weakens confidentiality and integrity and makes MITM on public or shared networks feasible.
prowler aws --checks elbv2_ssl_listeners
Recommendation
Enforce TLS everywhere: use HTTPS listeners and make all HTTP listeners redirect to HTTPS only. Do not forward plaintext. Apply defense in depth with strong TLS policies and managed certificates, and consider HSTS to prevent users from reaching http.
Remediation
aws elbv2 modify-listener --listener-arn <listener_arn> --default-actions '[{"Type":"redirect","RedirectConfig":{"Protocol":"HTTPS","Port":"443","StatusCode":"HTTP_301"}}]'
- Open the EC2 console and go to Load Balancers
- Select the Application Load Balancer and open the Listeners tab
- Select the HTTP:80 listener and choose Edit (or View/edit rules)
- Set the default action to Redirect to, Protocol: HTTPS, Port: 443, Status code: HTTP_301
- Save changes
Source Code
Resource Type
AwsElbv2LoadBalancer