Use of an insecure channel - HTTP - cloudformation

Use of an insecure channel - HTTP - cloudformation

Need

Secure transmission of client information

Context

  • Usage of CloudFormation for Infrastructure as Code (IaC)
  • Usage of AWS SDK for interacting with Amazon Web Services

Description

Non compliant code

        Resources:
  WebSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTP inbound traffic
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0

  WebInstance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      SecurityGroupIds:
        - !Ref WebSecurityGroup
      Tags:
        - Key: Name
          Value: HelloWorld

The following CloudFormation code creates an EC2 instance and a security group that allows inbound HTTP traffic (port 80) from any source (0.0.0.0/0).

This configuration is vulnerable because HTTP transmits data in plain text without encryption, allowing sensitive information to be easily intercepted by attackers.

Steps

  • Update the security group to allow HTTPS traffic (port 443) instead of HTTP (port 80).
  • Configure the application and web server to use TLS for secure communication.
  • Obtain and install a valid SSL/TLS certificate.
  • Redirect any HTTP traffic to HTTPS at the application or load balancer level.
  • Deploy the updated CloudFormation stack in AWS.

Compliant code

        Resources:
  WebSecurityGroupHTTPS:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTPS inbound traffic
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0

  WebInstance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      SecurityGroupIds:
        - !Ref WebSecurityGroupHTTPS
      Tags:
        - Key: Name
          Value: HelloWorld

The updated code replaces HTTP with HTTPS by only allowing inbound traffic on port 443 (HTTPS). This ensures data transmission is encrypted using TLS.

Make sure the application and web server are properly configured with a valid SSL/TLS certificate to support secure HTTPS connections.

References