Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · ELBv2

ELBv2.1: ALB serves HTTP without redirecting to HTTPS

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub ELBv2.1 check?

ELBv2.1 checks that an Application Load Balancer redirects HTTP requests to HTTPS. It reports FAILED when an HTTP (port 80) listener forwards traffic instead of issuing a redirect to HTTPS.

Why does ELBv2.1 matter?

An ALB that serves content over plain HTTP carries credentials, cookies and data in cleartext, open to interception on the path. The fix is not to remove the HTTP listener but to turn it into a 301 redirect, so clients that arrive on port 80 are immediately bounced to the encrypted endpoint.

How do I fix ELBv2.1?

  1. Audit each ALB's listeners with describe-listeners to find HTTP listeners that forward rather than redirect.
  2. Use a single modify-listener call to swap the default action to a redirect to HTTPS, preserving host, path and query.
  3. Pair the redirect with an HSTS response header so browsers skip port 80 on subsequent loads.
  4. Codify the redirect rule in your IaC so new ALBs ship compliant.

Remediation script · bash

# 1. Create the HTTPS listener with the issued ACM cert and a strong TLS policy.
aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/app/marketing-www/abc123 \
  --protocol HTTPS --port 443 \
  --certificates CertificateArn=arn:aws:acm:eu-west-1:123456789012:certificate/d4f8c1a2 \
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:eu-west-1:123456789012:targetgroup/marketing-www/tg789

# 2. Convert the existing HTTP listener into a 301 redirect to HTTPS (preserves the URL).
aws elbv2 modify-listener \
  --listener-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:listener/app/marketing-www/abc123/def456 \
  --default-actions 'Type=redirect,RedirectConfig={Protocol=HTTPS,Port=443,Host="#{host}",Path="/#{path}",Query="#{query}",StatusCode=HTTP_301}'

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on load balancer listeners.

Full lesson Enforce TLS on load balancer listeners Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for ELBv2 controls ↗ Check your own account for ELBv2.1 →
Part of the learning path Encrypt everything