For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-alb-listening-on-http.md. A documentation index is available at /llms.txt.

ALB listening on HTTP

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-alb-listening-on-http

Provider: AWS

Platform: Terraform

Severity: Medium

Category: Networking and Firewall

Learn More

Description

This check verifies that AWS Application Load Balancers (ALBs) are not configured to listen for incoming traffic on unencrypted HTTP ports (typically port 80). Allowing an ALB to accept HTTP traffic without redirecting it to HTTPS exposes sensitive data to potential interception, as communication is not encrypted in transit. Insecure configurations, such as setting the protocol parameter within an aws_lb_listener to "HTTP" without ensuring a redirect to "HTTPS", can result in data breaches or man-in-the-middle attacks.

Compliant Code Examples

resource "aws_lb_listener" "listener55" {
  load_balancer_arn = aws_lb.test33.arn
  port = 80
  default_action {
    type = "redirect"

    redirect {
      port        = "80"
      protocol    = "HTTPS"
      status_code = "HTTPS_301"
    }
  }
}

resource "aws_lb" "test33" {
  name = "test123"
  load_balancer_type = "application"
  subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
  internal = true
}

provider "aws2" {
  profile = "default"
  region  = "us-west-2"
}

data "aws_availability_zones" "available2" {
  state = "available"
}

data "aws_ami" "ubuntu2" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["099720109477"] # Canonical
}

resource "aws_vpc" "vpc1" {
  cidr_block = "10.10.0.0/16"
}

resource "aws_subnet" "subnet12" {
  vpc_id = aws_vpc.vpc1.id
  cidr_block = "10.10.10.0/24"
  availability_zone_id = data.aws_availability_zones.available2.zone_ids[0]
  tags = {
    Name = "subnet1"
  }
}

resource "aws_subnet" "subnet22" {
  vpc_id = aws_vpc.vpc1.id
  cidr_block = "10.10.11.0/24"
  availability_zone_id = data.aws_availability_zones.available2.zone_ids[1]

  tags = {
    Name = "subnet2"
  }
}

resource "aws_lb" "test2" {
  name = "test123"
  load_balancer_type = "application"
  subnets = [aws_subnet.subnet12.id, aws_subnet.subnet22.id]
  internal = true
}

resource "aws_lb_target_group" "test2" {
  port = 80
  protocol = "HTTP"
  target_type = "instance"
  vpc_id = aws_vpc.vpc1.id
}

resource "aws_default_security_group" "dsg2" {
  vpc_id = aws_vpc.vpc1.id
}

resource "aws_lb_listener" "listener2" {
  load_balancer_arn = aws_lb.test2.arn
  protocol = "HTTPS"
  port = 80
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.test2.arn
  }
}

resource "aws_lb_target_group_attachment" "attach12" {
  target_group_arn = aws_lb_target_group.test2.arn
  target_id = aws_instance.inst12.id
  port = 80
}

resource "aws_instance" "inst12" {
  vpc_security_group_ids = [aws_default_security_group.dsg2.id]
  subnet_id = aws_subnet.subnet12.id
  ami = data.aws_ami.ubuntu2.id
  instance_type = "t3.micro"
}

resource "aws_lb_target_group_attachment" "attach22" {
  target_group_arn = aws_lb_target_group.test2.arn
  target_id = aws_instance.inst22.id
  port = 80
}

resource "aws_instance" "inst22" {
  vpc_security_group_ids = [aws_default_security_group.dsg2.id]
  subnet_id = aws_subnet.subnet12.id
  ami = data.aws_ami.ubuntu2.id
  instance_type = "t3.micro"
}

resource "aws_lb_target_group_attachment" "attach32" {
  target_group_arn = aws_lb_target_group.test2.arn
  target_id = aws_instance.inst32.id
  port = 80
}

resource "aws_instance" "inst32" {
  vpc_security_group_ids = [aws_default_security_group.dsg2.id]
  subnet_id = aws_subnet.subnet12.id
  ami = data.aws_ami.ubuntu2.id
  instance_type = "t3.micro"
}

Non-Compliant Code Examples

resource "aws_lb_listener" "listener5" {
  load_balancer_arn = aws_lb.test3.arn
  port = 80
  default_action {
    type = "redirect"

    redirect {
      port        = "80"
      protocol    = "HTTP"
      status_code = "HTTP_301"
    }
  }
}

resource "aws_lb" "test3" {
  name = "test123"
  load_balancer_type = "application"
  subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
  internal = true
}

provider "aws" {
  profile = "default"
  region  = "us-west-2"
}

data "aws_availability_zones" "available" {
  state = "available"
}

data "aws_ami" "ubuntu" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["099720109477"] # Canonical
}

resource "aws_vpc" "vpc1" {
  cidr_block = "10.10.0.0/16"
}

resource "aws_subnet" "subnet1" {
  vpc_id               = aws_vpc.vpc1.id
  cidr_block           = "10.10.10.0/24"
  availability_zone_id = data.aws_availability_zones.available.zone_ids[0]
  tags = {
    Name = "subnet1"
  }
}

resource "aws_subnet" "subnet2" {
  vpc_id               = aws_vpc.vpc1.id
  cidr_block           = "10.10.11.0/24"
  availability_zone_id = data.aws_availability_zones.available.zone_ids[1]

  tags = {
    Name = "subnet2"
  }
}

resource "aws_lb" "test" {
  name               = "test123"
  load_balancer_type = "application"
  subnets            = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
  internal           = true
}

resource "aws_lb_target_group" "test" {
  port        = 80
  protocol    = "HTTP"
  target_type = "instance"
  vpc_id      = aws_vpc.vpc1.id
}

resource "aws_default_security_group" "dsg" {
  vpc_id = aws_vpc.vpc1.id
}

resource "aws_lb_listener" "listener" {
  load_balancer_arn = aws_lb.test.arn
  port              = 80
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.test.arn
  }
}

resource "aws_lb_target_group_attachment" "attach1" {
  target_group_arn = aws_lb_target_group.test.arn
  target_id        = aws_instance.inst1.id
  port             = 80
}

resource "aws_instance" "inst1" {
  vpc_security_group_ids = [aws_default_security_group.dsg.id]
  subnet_id              = aws_subnet.subnet1.id
  ami                    = data.aws_ami.ubuntu.id
  instance_type          = "t3.micro"
}

resource "aws_lb_target_group_attachment" "attach2" {
  target_group_arn = aws_lb_target_group.test.arn
  target_id        = aws_instance.inst2.id
  port             = 80
}

resource "aws_instance" "inst2" {
  vpc_security_group_ids = [aws_default_security_group.dsg.id]
  subnet_id              = aws_subnet.subnet1.id
  ami                    = data.aws_ami.ubuntu.id
  instance_type          = "t3.micro"
}

resource "aws_lb_target_group_attachment" "attach3" {
  target_group_arn = aws_lb_target_group.test.arn
  target_id        = aws_instance.inst3.id
  port             = 80
}

resource "aws_instance" "inst3" {
  vpc_security_group_ids = [aws_default_security_group.dsg.id]
  subnet_id              = aws_subnet.subnet1.id
  ami                    = data.aws_ami.ubuntu.id
  instance_type          = "t3.micro"
}