Find listeners using HTTP or raw TCP/UDP with describe-listeners across each region. Request a free ACM certificate (DNS-validated) for the domain in the load balancer's region. Add an HTTPS or TLS listener backed by that certificate, then convert the old HTTP listener to a 301 redirect so existing links keep working. Add a Config rule to detect any new cleartext listener drift.

Compliance Medium severity

AWS Security Hub · ELB

ELB.18: A public listener exposes traffic over plain HTTP

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub ELB.18 check?

ELB.18 fails when an Application or Network Load Balancer has a listener that uses an unencrypted protocol — an HTTP listener on an ALB or a TCP/UDP listener on an NLB — rather than HTTPS or TLS.

Why does ELB.18 matter?

An unencrypted listener carries every request, including credentials and session tokens, in cleartext to whoever is on the network path. Since ACM made TLS certificates free and auto-renewing in 2016, a plaintext public listener is an oversight rather than a cost decision. Terminating TLS at the edge is the baseline for encryption in transit.

How do I fix ELB.18?

Find listeners using HTTP or raw TCP/UDP with describe-listeners across each region.
Request a free ACM certificate (DNS-validated) for the domain in the load balancer's region.
Add an HTTPS or TLS listener backed by that certificate, then convert the old HTTP listener to a 301 redirect so existing links keep working.
Add a Config rule to detect any new cleartext listener drift.

Remediation script · bash

# 1. Create the HTTPS listener with the issued ACM cert and a strong TLS policy.
aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/app/marketing-www/abc123 \
  --protocol HTTPS --port 443 \
  --certificates CertificateArn=arn:aws:acm:eu-west-1:123456789012:certificate/d4f8c1a2 \
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:eu-west-1:123456789012:targetgroup/marketing-www/tg789

# 2. Convert the existing HTTP listener into a 301 redirect to HTTPS (preserves the URL).
aws elbv2 modify-listener \
  --listener-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:listener/app/marketing-www/abc123/def456 \
  --default-actions 'Type=redirect,RedirectConfig={Protocol=HTTPS,Port=443,Host="#{host}",Path="/#{path}",Query="#{query}",StatusCode=HTTP_301}'

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on load balancer listeners.

Is ELB.18 a false positive?

Internal NLBs fronting protocols that genuinely cannot speak TLS may still flag; in those cases terminate or tunnel encryption upstream rather than leaving the listener plaintext.

Full lesson Enforce TLS on load balancer listeners Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for ELB controls ↗ Check your own account for ELB.18 →

Part of the learning path Encrypt everything

ELB.1 ALB serves HTTP without redirecting to HTTPS
ELB.2 CLB SSL/HTTPS listeners should use ACM certs
ELB.3 CLB listeners should use HTTPS/TLS termination
ELB.4 ALB accepts malformed HTTP headers
ELB.5 Load balancers are not writing access logs
ELB.6 Load balancers can be deleted by accident
ELB.7 CLBs should have connection draining
ELB.8 CLB SSL listeners should use strong policy
ELB.9 CLBs should have cross-zone balancing
ELB.10 CLBs should span multiple AZs
ELB.12 ALB desync mitigation mode
ELB.13 A single-AZ load balancer is a data-plane single point of failure