Findings

AWS ALB should redirect HTTP to HTTPS

Updated: July 4, 2025

Findings Cloud Based Findings API Finding

Description

Severity: Info

The Application Load Balancer is configured with a listener on port 80 that does not redirect HTTP requests to HTTPS on port 443.

This leaves communication unencrypted, exposing data to potential interception and man-in-the-middle (MITM) attacks. Enforcing HTTPS ensures that data transmitted between clients and the server is encrypted, protecting sensitive information and maintaining compliance with security best practices.

Example Attack

An attacker intercepts HTTP requests sent to the ALB on port 80 using a MITM attack. They are able to view sensitive data, such as login credentials or session tokens, being transmitted in plaintext. Without HTTPS redirection, users remain vulnerable to these types of attacks. By redirecting HTTP to HTTPS, all communication is encrypted, preventing attackers from exploiting intercepted data.

Remediation

Update the Application Load Balancer's listener configuration by adding a rule that redirects all HTTP requests on port 80 to HTTPS on port 443. This ensures all traffic is encrypted using TLS, significantly improving the security of data in transit.

Security Frameworks

NIST 800-53.r5

NIST-AC-17(2): Remote Access | Protection of Confidentiality and Integrity Using Encryption

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

NIST-AC-4: Information Flow Enforcement

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

NIST-IA-5(1): Authenticator Management | Password-based Authentication

For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].

NIST-SC-12(3): Cryptographic Key Establishment and Management | Asymmetric Keys

Produce, control, and distribute asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user's private key; certificates issued in accordance with organization-defined requirements].

NIST-SC-13: Cryptographic Protection

  1. Determine the [Assignment: organization-defined cryptographic uses]; and
  2. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].

NIST-SC-23: Session Authenticity

Protect the authenticity of communications sessions.

NIST-SC-23(3): Session Authenticity | Unique System-generated Session Identifiers

Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated.

NIST-SC-7(4): Boundary Protection | External Telecommunications Services

(a) Implement a managed interface for each external telecommunication service;
(b) Establish a traffic flow policy for each managed interface;
(c) Protect the confidentiality and integrity of the information being transmitted across each interface;
(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;
(e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need;
(f) Prevent unauthorized exchange of control plane traffic with external networks;
(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and
(h) Filter unauthorized control plane traffic from external networks.

NIST-SC-8: Transmission Confidentiality and Integrity

Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.

NIST-SC-8(1): Transmission Confidentiality and Integrity | Cryptographic Protection

Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.

NIST-SC-8(2): Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling

Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.

NIST-SI-7(6): Software, Firmware, and Information Integrity | Cryptographic Protection

Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
AWS ALB not configured to drop invalid HTTP headers
Next (Findings - Cloud based findings)
AWS Load Balancer missing deletion protection