Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · ELB

ELB.3: CLB listeners should use HTTPS/TLS termination

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub ELB.3 check?

ELB.3 fails when a Classic Load Balancer's front-end listener uses an unencrypted protocol (HTTP or TCP) instead of HTTPS or SSL/TLS. The control evaluates whether the edge listener terminates encryption at all.

Why does ELB.3 matter?

A cleartext CLB listener carries client credentials, cookies and payloads in the open across the first hop. HTTPS/TLS termination at the edge is the baseline for encryption in transit, and with ACM issuing certificates for free there is no longer a cost argument for leaving it off. ELB.3 is the 'is it encrypted at all' check that sits beneath its siblings ELB.2 and ELB.8.

How do I fix ELB.3?

  1. Inventory CLB listeners with describe-load-balancers and flag any HTTP or plain TCP front-end protocols.
  2. Provision an ACM certificate in the load balancer's region.
  3. Add a compliant HTTPS or SSL listener backed by that certificate, and open the new port (usually 443) in the load balancer's security group.
  4. Plan the cleartext-to-encrypted cutover so clients are migrated before the old listener is removed.

Remediation script · bash

# 1. Create the HTTPS listener with the issued ACM cert and a strong TLS policy.
aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/app/marketing-www/abc123 \
  --protocol HTTPS --port 443 \
  --certificates CertificateArn=arn:aws:acm:eu-west-1:123456789012:certificate/d4f8c1a2 \
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:eu-west-1:123456789012:targetgroup/marketing-www/tg789

# 2. Convert the existing HTTP listener into a 301 redirect to HTTPS (preserves the URL).
aws elbv2 modify-listener \
  --listener-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:listener/app/marketing-www/abc123/def456 \
  --default-actions 'Type=redirect,RedirectConfig={Protocol=HTTPS,Port=443,Host="#{host}",Path="/#{path}",Query="#{query}",StatusCode=HTTP_301}'

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on load balancer listeners.

Full lesson Enforce TLS on load balancer listeners Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for ELB controls ↗ Check your own account for ELB.3 →
Part of the learning path Encrypt everything

More ELB controls

  • ELB.1 ALB serves HTTP without redirecting to HTTPS
  • ELB.2 CLB SSL/HTTPS listeners should use ACM certs
  • ELB.4 ALB accepts malformed HTTP headers
  • ELB.5 Load balancers are not writing access logs
  • ELB.6 Load balancers can be deleted by accident
  • ELB.7 CLBs should have connection draining
  • ELB.8 CLB SSL listeners should use strong policy
  • ELB.9 CLBs should have cross-zone balancing
  • ELB.10 CLBs should span multiple AZs
  • ELB.12 ALB desync mitigation mode
  • ELB.13 A single-AZ load balancer is a data-plane single point of failure
  • ELB.14 CLB desync mitigation mode