AWS ALB should redirect HTTP to HTTPS

firetail:aws-alb-http-not-redirected-to-https

Type:

CSPM

Rule Severity:

Info

The Application Load Balancer is configured with a listener on port 80 that does not redirect HTTP requests to HTTPS on port 443.

This leaves communication unencrypted, exposing data to potential interception and man-in-the-middle (MITM) attacks. Enforcing HTTPS ensures that data transmitted between clients and the server is encrypted, protecting sensitive information and maintaining compliance with security best practices.

Remediation

Update the Application Load Balancer's listener configuration by adding a rule that redirects all HTTP requests on port 80 to HTTPS on port 443. This ensures all traffic is encrypted using TLS, significantly improving the security of data in transit.

Example Attack Scenario

An attacker intercepts HTTP requests sent to the ALB on port 80 using a MITM attack. They are able to view sensitive data, such as login credentials or session tokens, being transmitted in plaintext. Without HTTPS redirection, users remain vulnerable to these types of attacks. By redirecting HTTP to HTTPS, all communication is encrypted, preventing attackers from exploiting intercepted data.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Use after free
Schema build failure
AWS ALB has a WAF that is set to fail open
Insecure host (OAS3)
Undefined string limit
Missing 429 response