--- title: ELB without secure protocol description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > ELB without secure protocol --- # ELB without secure protocol {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-elb-without-secure-protocol` **Provider:** AWS **Platform:** CloudFormation **Severity:** Medium **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html) ### Description{% #description %} Listeners on Classic Elastic Load Balancers must use encrypted protocols to protect data in transit. Listeners configured with plaintext protocols (for example, `HTTP` or `TCP`) can expose sensitive information and allow interception or tampering. For `AWS::ElasticLoadBalancing::LoadBalancer` resources, this rule checks each entry in `Properties.Listeners` and requires the `Protocol` and `InstanceProtocol` fields (when present) to be set to `SSL` or `HTTPS`. Resources missing these properties or with `Protocol`/`InstanceProtocol` set to values like `HTTP` or `TCP` will be flagged as insecure. Secure listener example (CloudFormation YAML): ```yaml MyLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: Listeners: - Protocol: HTTPS LoadBalancerPort: 443 InstanceProtocol: HTTPS InstancePort: 8443 SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-cert ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml #this code is a correct code for which the query should not find any result Resources: MyLoadBalancer1: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - "us-east-2a" CrossZone: true Listeners: - InstancePort: '80' InstanceProtocol: HTTPS LoadBalancerPort: '443' Protocol: HTTPS PolicyNames: - My-SSLNegotiation-Policy SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate HealthCheck: Target: HTTP:80/ HealthyThreshold: '2' UnhealthyThreshold: '3' Interval: '10' Timeout: '5' Policies: - PolicyName: My-SSLNegotiation-Policy PolicyType: SSLNegotiationPolicyType Attributes: - Name: Reference-Security-Policy Value: ELBSecurityPolicy-TLS-1-2-2017-01 ``` ```yaml #this code is a correct code for which the query should not find any result Resources: MyLoadBalancer2: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - "us-east-2a" CrossZone: true Listeners: - InstancePort: '9443' InstanceProtocol: SSL LoadBalancerPort: '443' Protocol: SSL PolicyNames: - My-SSLNegotiation-Policy SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate Policies: - PolicyName: My-SSLNegotiation-Policy PolicyType: SSLNegotiationPolicyType Attributes: - Name: Reference-Security-Policy Value: ELBSecurityPolicy-TLS-1-2-2017-01 ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml #this is a problematic code where the query should report a result(s) Resources: MyLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - "us-east-2a" CrossZone: true Listeners: - LoadBalancerPort: '443' InstancePort: '80' InstanceProtocol: HTTP Protocol: HTTP PolicyNames: - My-SSLNegotiation-Policy SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate HealthCheck: Target: HTTP:80/ HealthyThreshold: '2' UnhealthyThreshold: '3' Interval: '10' Timeout: '5' Policies: - PolicyName: My-SSLNegotiation-Policy PolicyType: SSLNegotiationPolicyType Attributes: - Name: Reference-Security-Policy Value: ELBSecurityPolicy-TLS-1-2-2017-01 ```