unsafe path

Security Checkup: Force AWS Load Balancers to redirect to HTTPS

When on a hike – you always want to take the most secure path, and not risk taking an unsafe route.  With so many features now in the Cloud, it can be tricky to ensure that all of the traffic in and out of your services is secured over HTTPS – both for the safety of your company, but also your customers.

In this health/security check, we’ll configure unSkript to run a prebuilt RunBook to ensure that all of our Application Load Balancers in AWS are enforcing HTTPS redirection.

The RunBook

The RunBooks we’ll be configuring is called “Enforce HTTP Redirection Across AWS ALB.”  To access this xRunBook, follow the following steps (depending on the release being used):

  1. Docker (Open Source): in the Welcome.ipynb landing page, you’ll see this RunBook listed under AWS. Click the link to open.
  2. SAAS (Free Trial): Under “xRunBooks” click the “unSkript xRunBooks” tab to see a list of all of the pre-built RunBooks. Search for the title. Click the 3 dot menu to import this into your library (You’ll need to give the RunBook a new name, and assign a proxy). Once it is saved in your library, open the runBook to the editor.

This xRunBook has one input parameter – the AWS Region to use.  The default setting is ‘us-west-2’, but this can be changed in the top menu “Parameters.”  Once the input settings are set, there are 3 Actions that are run in this xRunBook:

  1. List all AWS Application Load Balancers: This queries AWS for a full list of all the load balancers in the region.
  2. List all AWS Listeners that do not have HTTP Redirection: This Action takes all of the Load Balancers from step 1, and cycles through them all checking the Listeners attached to the load balancers. If the Listeners do not support HTTPS Redirect, they are written as output.
  3. Modify Load Balancer Listeners to Enforce HTTP Redirection: This Action iterates through the list created in step 2.  If all of the Load balancers are already enforcing HTTP redirection, it does not run.

In order for this xRunBook to run in your AWS environment, you must have AWS credentials set in your unSkript proxy. Set them up via the instructions in the link. Once they are created, Click the configuration button for each Action, and choose the AWS Credentials you would like to be used in this xRunBook.

screenshot of the Configuration with an AWS credential set.

Once all three Actions have the proper Credentials – save the xRunBook, and you are ready to run.

To run Interactively, click “Run Action” for each step (in order).  You’ll first get the list of Load Balancers:

List of AWS load balancers

This list will then be iterated on for all of the listeners on each load balancer. If any listeners do not enforce a HTTP redirect, they will appear in the response:

two load balancers were not redirecting properly

Finally, if there are any listeners that need to be updated, the last Action will update the listeners.

modified listener list

If you run the xRunBook a second time for the same region – all of the listeners will pass the 2nd step, and the array will be empty:

empty results

Summary

In this post, we’ve walked through the steps to configure an unSkript RunBook that Enforces AWS Load Balancers to redirect HTTP to HTTPS.  This pre-built RunBook is installed for free as a part of our open-source library of RunBooks and Actions, and as noted in this post, can be quickly configureed to run in your AWS environment.  By regularly running this security check, you can ensure that all traffic passing through your load balancers at AWS is HTTPS, and that your customer’s data is secure.

Want to try it yourself?  Check out our Free Trial, and give us a star on GitHub!

Share your thoughts