AWS securityhub documentation change
Summary
Updated formatting of AWS Config rule links by removing backticks in multiple sections
Security assessment
Formatting changes to hyperlinks do not alter security content or address vulnerabilities. These are purely documentation presentation updates.
Diff
diff --git a/securityhub/latest/userguide/elb-controls.md b/securityhub/latest/userguide/elb-controls.md index 38126a09b..92e8008b9 100644 --- a//securityhub/latest/userguide/elb-controls.md +++ b//securityhub/latest/userguide/elb-controls.md @@ -5 +5 @@ -[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination[ELB.4] Application Load Balancer should be configured to drop invalid http headers[ELB.5] Application and Classic Load Balancers logging should be enabled[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled[ELB.7] Classic Load Balancers should have connection draining enabled[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled[ELB.10] Classic Load Balancer should span multiple Availability Zones[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies +[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination[ELB.4] Application Load Balancer should be configured to drop invalid http headers[ELB.5] Application and Classic Load Balancers logging should be enabled[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled[ELB.7] Classic Load Balancers should have connection draining enabled[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled[ELB.10] Classic Load Balancer should span multiple Availability Zones[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit @@ -21 +21 @@ These AWS Security Hub controls evaluate the Elastic Load Balancing service and -**AWS Config rule:** [`alb-http-to-https-redirection-check`](https://docs.aws.amazon.com/config/latest/developerguide/alb-http-to-https-redirection-check.html) +**AWS Config rule:** [alb-http-to-https-redirection-check](https://docs.aws.amazon.com/config/latest/developerguide/alb-http-to-https-redirection-check.html) @@ -51 +51 @@ For instructions on editing an existing rule, see [Edit a rule](https://docs.aws -**AWS Config rule:** [`elb-acm-certificate-required`](https://docs.aws.amazon.com/config/latest/developerguide/elb-acm-certificate-required.html) +**AWS Config rule:** [elb-acm-certificate-required](https://docs.aws.amazon.com/config/latest/developerguide/elb-acm-certificate-required.html) @@ -77 +77 @@ For information about how to associate an ACM SSL/TLS certificate with a Classic -**AWS Config rule:** [`elb-tls-https-listeners-only`](https://docs.aws.amazon.com/config/latest/developerguide/elb-tls-https-listeners-only.html) +**AWS Config rule:** [elb-tls-https-listeners-only](https://docs.aws.amazon.com/config/latest/developerguide/elb-tls-https-listeners-only.html) @@ -128 +128 @@ To remediate this issue, update your listeners to use the TLS or HTTPS protocol. -**AWS Config rule:** [`alb-http-drop-invalid-header-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/alb-http-drop-invalid-header-enabled.html) +**AWS Config rule:** [alb-http-drop-invalid-header-enabled](https://docs.aws.amazon.com/config/latest/developerguide/alb-http-drop-invalid-header-enabled.html) @@ -173 +173 @@ To remediate this issue, configure your load balancer to drop invalid header fie -**AWS Config rule:** [`elb-logging-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/elb-logging-enabled.html) +**AWS Config rule:** [elb-logging-enabled](https://docs.aws.amazon.com/config/latest/developerguide/elb-logging-enabled.html) @@ -199 +199 @@ To enable access logs, see [Step 3: Configure access logs](https://docs.aws.amaz -**AWS Config rule:** [`elb-deletion-protection-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/elb-deletion-protection-enabled.html) +**AWS Config rule:** [elb-deletion-protection-enabled](https://docs.aws.amazon.com/config/latest/developerguide/elb-deletion-protection-enabled.html) @@ -251 +251 @@ To enable connection draining on Classic Load Balancers, see [Configure connecti -**AWS Config rule:** [`elb-predefined-security-policy-ssl-check`](https://docs.aws.amazon.com/config/latest/developerguide/elb-predefined-security-policy-ssl-check.html) +**AWS Config rule:** [elb-predefined-security-policy-ssl-check](https://docs.aws.amazon.com/config/latest/developerguide/elb-predefined-security-policy-ssl-check.html) @@ -282 +282 @@ For information on how to use the predefined security policy `ELBSecurityPolicy- -**AWS Config rule:** [`elb-cross-zone-load-balancing-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/elb-cross-zone-load-balancing-enabled.html) +**AWS Config rule:** [elb-cross-zone-load-balancing-enabled](https://docs.aws.amazon.com/config/latest/developerguide/elb-cross-zone-load-balancing-enabled.html) @@ -306 +306 @@ To enable cross-zone load balancing in a Classic Load Balancer, see [Enable cros -**AWS Config rule:** [`clb-multiple-az`](https://docs.aws.amazon.com/config/latest/developerguide/clb-multiple-az.html) +**AWS Config rule:** [clb-multiple-az](https://docs.aws.amazon.com/config/latest/developerguide/clb-multiple-az.html) @@ -334 +334 @@ To add Availability Zones to a Classic Load Balancer, see [Add or remove subnets -**AWS Config rule:** [`alb-desync-mode-check`](https://docs.aws.amazon.com/config/latest/developerguide/alb-desync-mode-check.html) +**AWS Config rule:** [alb-desync-mode-check](https://docs.aws.amazon.com/config/latest/developerguide/alb-desync-mode-check.html) @@ -363 +363 @@ To update desync mitigation mode of an Application Load Balancer, see [Desync mi -**AWS Config rule:** [`elbv2-multiple-az`](https://docs.aws.amazon.com/config/latest/developerguide/elbv2-multiple-az.html) +**AWS Config rule:** [elbv2-multiple-az](https://docs.aws.amazon.com/config/latest/developerguide/elbv2-multiple-az.html) @@ -391 +391 @@ To add an Availability Zone to an Application Load Balancer, see [Availability Z -**AWS Config rule:** [`clb-desync-mode-check`](https://docs.aws.amazon.com/config/latest/developerguide/clb-desync-mode-check.html) +**AWS Config rule:** [clb-desync-mode-check](https://docs.aws.amazon.com/config/latest/developerguide/clb-desync-mode-check.html) @@ -420 +420 @@ To update desync mitigation mode on a Classic Load Balancer, see [Modify desync -**AWS Config rule:** [`alb-waf-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/alb-waf-enabled.html) +**AWS Config rule:** [alb-waf-enabled](https://docs.aws.amazon.com/config/latest/developerguide/alb-waf-enabled.html) @@ -457,0 +458,22 @@ For information about recommended security policies and how to update listeners, +## [ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit + +**Category:** Protect > Data Protection > Encryption of data-in-transit + +**Severity:** Medium + +**Resource type:** `AWS::ElasticLoadBalancingV2::Listener` + +**AWS Config rule:** [elbv2-listener-encryption-in-transit](https://docs.aws.amazon.com/config/latest/developerguide/elbv2-listener-encryption-in-transit.html) + +**Schedule type:** Change triggered + +**Parameters:** None + +This control checks whether the listener for an Application Load Balancer or Network Load Balancer is configured to use a secure protocol for encryption of data in transit. The control fails if an Application Load Balancer listener isn't configured to use the HTTPS protocol, or a Network Load Balancer listener isn't configured to use the TLS protocol. + +To encrypt data that's transmitted between a client and a load balancer, Elastic Load Balancer listeners should be configured to use industry-standard security protocols: HTTPS for Application Load Balancers, or TLS for Network Load Balancers. Otherwise, data that's transmitted between a client and a load balancer is vulnerable to interception, tampering, and unauthorized access. Use of HTTPS or TLS by a listener aligns with security best practices and helps ensure the confidentiality and integrity of data during transmission. This is particularly important for applications that handle sensitive information, or must comply with security standards that require encryption of data in transit. + +### Remediation + +For information about configuring security protocols for listeners, see the following sections of the _Elastic Load Balancing User Guides_ : [Create an HTTPS listener for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html) and [Create a listener for your Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html). +