By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Issue Enforcing E2E Encryption on Beanstalk

0

Originally the ALB has two listeners port 80 ( being rerouted to port 443 ) and port 443 with SSL certificate. Both listeners are forwarding to environment processes using port 80. The instance SG for Load Balancer has ingress for port 80 and 443. Beanstalk ALB defaulted the creation of two egress rules, one. for port 80 http and another for port 443 https. I WANT TO MAKE SURE IS RETURNING ENCRYPTED, we are enforcing inbound traffic as encrypted by rerouting port 80. If I remove egress port 80 the application stops working. For testing I. changed to enable only https listener and changed the default process to use port 443. Traffic from 443 listener was being forwarded to default process. This will impact the instance health status to "severe". I even tried by updating the TLS to recommended policy ELBSecurityPolicy-TLS13-1-2-2021-06, still it didn't work. HOW CAN WE ENFORCE E2E encryption on Beanstalk? I read and followed the steps on the AWS article on this issue, unfortunately health status isn't happy with this. ... Thank you in advance for your help.

Topics
ComputeNetworking & Content Delivery
Tags
AWS Elastic BeanstalkElastic Load BalancingEncryption
Language
English
AWS-User-7331572
asked 8 months ago181 views
2 Answers
1

Hello.

Is an SSL certificate deployed on the EC2 instance of Elastic Beanstalk?
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html

The following documents should also be read together.
https://repost.aws/knowledge-center/elastic-beanstalk-ssl-configuration

profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago
  • AWS-User-7331572
    8 months ago

    Thank you for sharing this additional information. What about if I only want to re-encrypt the traffic leaving the ALB?
    recap: ingress today has listeners for HTTP and HTTPS , with HTTP traffic being re-routed to port 443 at the Load Balancer. The default process being used is using HTTP, port 80. How can I make enforcing that traffic is re-encrypted at the ALB prior to returning to client?

  • AWS-User-7331572
    8 months ago

    According to Elastic Beanstalk Documentation the ALB is capable of handling the encryption, decryption and re-encryption automatically even when traffic forward to instances using Port 80. So why it is defaulting the ALB egress as Port 80? https://aws.amazon.com/blogs/security/hardening-the-security-of-your-aws-elastic-beanstalk-application-the-well-architected-way/

0

AWS Can you confirm if this is correct?

  1. HTTP traffic from client reaching ALB on VPC public subnet is automatically rerouted to use port HTTPS
  2. ALB decrypts the HTTPS traffic and forwards to VPC instance private subnet using the port on defaullt process (80)
  3. Internally to the VPC the information is being processed unencrypted using port 80, and is returned to ALB using port 80. Therefore VPC has ingress port 80 with source traffic from ALB, end all egress traffic from VPC private subnets uses port 80 as well.
  4. The ALB receives unencrypted traffic from VPC instance private subnet , re-encrypts the traffic and returns to the encrypted traffic to the client using port 443 HTTPS. Therefore it seems to me that ALB SG needs HTTP and HTTPS egress entries. IS THIS CORRECT?
AWS-User-7331572
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content