New rule to check if the Classic Load Balancers serve HTTPS

[santosh-at-github]

'''
#####################################
##           Gherkin               ##
#####################################
Rule Name:
  CLASSIC_ELB_SSL_ENFORCE_CHECK

Description:
  Check whether SSL is enforced on the Amazon Classic Load Balancers either using HTTPS/SSL listeners or by redirecting HTTP traffic to HTTPS.

Trigger:
  Configuration change on AWS::ElasticLoadBalancing::LoadBalancer

Reports on:
  AWS::ElasticLoadBalancing::LoadBalancer

Rule Parameters:
  HttpsRedirectionCheck
   Optional
   A boolean parameter to check if HTTP to HTTPS traffic redirection is enabled. Default is True.

Scenarios:
  Scenario: 1
     Given: Parameter HttpsRedirectionCheck is configured
       And: It is not either True or False
      Then: Return an error
  Scenario: 2
     Given: CLB has only TCP listeners(s)
      Then: Return NON_COMPLIANT with Annotation "CLB {CLB_Name} has no HTTPS or SSL listeners configured."
  Scenario: 3
     Given: CLB has no HTTPS or SSL listeners(s)
      Then: Return NON_COMPLIANT with Annotation "CLB {CLB_Name} has no HTTPS or SSL listeners configured."
  Scenario: 4
     Given: CLB has HTTPS/SSL and HTTP listeners
       And: The parameter HttpsRedirectionCheck is False
      Then: Return NON_COMPLAINT with Annotation "CLB {CLB_Name} has HTTP listener(s) configured."
  Scenario: 5
     Given: CLB has HTTPS/SSL and HTTP listeners
       And: The parameter HttpsRedirectionCheck is True
       And: HTTP to HTTPS redirection is not enabled
      Then: Return NON_COMPLAINT with Annotation "CLB {CLB_Name} serves HTTP traffic without redirecting to HTTPS."
  Scenario: 6
     Given: CLB has HTTPS/SSL and HTTP listeners
       And: The parameter HttpsRedirectionCheck is True
       And: HTTP to HTTPS redirection is enabled
      Then: Return COMPLAINT
  Scenario: 7
     Given: CLB has HTTPS/SSL listener(s) only
      Then: Return COMPLAINT
'''

[santosh-at-github]

@jongogogo Please review the gherkin and let me know in case of any changes required.

[jongogogo]

See my comments: https://github.com/awslabs/aws-config-rules/issues/190 I suggest we finish the gherkin on ALB first, then adapt for CLB :)

[santosh-at-github]

Sure @jongogogo, I will do it after ALB Gherkin is complete, but I have some suggestions and questions

• In our documentation we have HTTP, HTTPS, TCP and SSL listeners for CLB. It doesn't list SSL as TLS/SSL listener, do you still want me change SSL to TLS/SSL in the Gherkin?

• Since CLB supports both L7 and L4 listeners, by HTTPS/SSL, I meant HTTPS or SSL listeners, I will change this one.

• "Need a parameter comma-separated list on the SSL policies". Are you suggesting to use SSL policies also to check if a Load Balancer is Complaint or not?

• For your last comment on issue #190, I am ok to create two separate rules for HTTPS,SSL listeners and HTTP to HTTPS redirection check, however I was thinking of below about this approach:

  • Our end goal for this rule is to inform rule user if their CLB has SSL enforced or not (on L7 or L4 or both). If we have two different rule to check if SSL is enforced or not, then how we are going to make a decision about compliance status of the CLB?
  • Or you are suggesting that we can have two different rules with it's own independent compliance status?

[jongogogo]

1. Yes, SSL to TLS/SSL. SSL is the old protocol (and mainly retired), but it became a synonym to encryption in transit for HTTPS. The security community is naming as TLS/SSL sometimes.
2. OK for L4 to L7, it is a bit more tricky than ALB indeed.
3. The SSL policies is because certain policies are allowed by PCI DSS (for example) and others are not. So customers must have the ability to check that.