Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is ssl termination at AWS load balancer ELB secure?

We have a web application running on ec2 instance. We have added AWS ELB to route all request to application to load balancer. SSL certificate has been applied to ELB.

I am worried about whether HTTP communication between ELB and ec2 instance is secure? or should I use HTTPS communication between ELB and ec2 instance?

Does AWS guarantees security of HTTP communication between ELB and ec2 instance?

like image 528
prashant Avatar asked Sep 26 '14 06:09

prashant


1 Answers

I answered a similar question once but would like to highlight some points:

  1. Use VPC with proper Security Groups setup (must) and network ACL (optional).

  2. Notice your private keys distribution. AWS made it easy with storing it safely in their system and never using it again on your servers. It is probably better to use self-signed certificates on your servers (reducing the chance to leak your real private keys)

  3. SSL is cheap these days (compute wise)

  4. It all depends on your security requirements, regulations and how much complexity overhead are you willing to take.

  5. AWS do provide some guaranties (see network section) against spoofing / retrieval of information by other tenants, but the safe assumption is that multi-tenant public cloud environment is not 100% hygienic and you should encrypt.

  6. Single tenant instance (as suggested by @andreimarinescu) will not help as the attack vector discussed here is the network between the ELB (shared env) and your instance. (however, it might help against XEN zero days)

  7. Long answer with short summary - encrypt.

like image 180
Froyke Avatar answered Oct 23 '22 05:10

Froyke