ELB.1: ALB serves HTTP without redirecting to HTTPS

What does AWS Security Hub ELB.1 check?

ELB.1 fails when an Application Load Balancer has an HTTP listener whose default action is anything other than a redirect to HTTPS. The control wants port 80 to exist only to bounce clients onto the encrypted listener.

Why does ELB.1 matter?

An HTTP listener that forwards instead of redirecting carries credentials, session cookies and form data in cleartext across the first hop. Anyone on the path can read or tamper with that request before TLS ever engages. A 301 redirect closes the window and, paired with HSTS, stops browsers from touching port 80 on subsequent visits at all.

How do I fix ELB.1?

1. Audit each ALB with describe-listeners and find HTTP:80 listeners whose default action is forward rather than redirect.
2. Use modify-listener to set the default action to a redirect with Protocol HTTPS, Port 443 and StatusCode HTTP_301 so browsers cache the jump.
3. Send an HSTS header from the HTTPS listener so future loads skip port 80 entirely.
4. Codify the redirect in your IaC so new ALBs ship compliant.

# 1. Create the HTTPS listener with the issued ACM cert and a strong TLS policy.
aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/app/marketing-www/abc123 \
  --protocol HTTPS --port 443 \
  --certificates CertificateArn=arn:aws:acm:eu-west-1:123456789012:certificate/d4f8c1a2 \
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:eu-west-1:123456789012:targetgroup/marketing-www/tg789

# 2. Convert the existing HTTP listener into a 301 redirect to HTTPS (preserves the URL).
aws elbv2 modify-listener \
  --listener-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:listener/app/marketing-www/abc123/def456 \
  --default-actions 'Type=redirect,RedirectConfig={Protocol=HTTPS,Port=443,Host="#{host}",Path="/#{path}",Query="#{query}",StatusCode=HTTP_301}'