Use of an insecure channel - HTTP - Cloudformation
Need
Secure transmission of client information
Context
- Usage of CloudFormation for Infrastructure as Code (IaC)
- Usage of AWS SDK for interacting with Amazon Web Services
Description
Insecure Code Example
Resources:
WebSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP inbound traffic
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
WebInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0c94855ba95c574c8
InstanceType: t2.micro
SecurityGroupIds:
- !Ref WebSecurityGroup
Tags:
- Key: Name
Value: HelloWorldThe above CloudFormation code creates an EC2 instance and a security group that allows inbound HTTP traffic (port 80) from any source (0.0.0.0/0). This configuration is vulnerable because HTTP transmits data in plain text without encryption, allowing sensitive information to be easily intercepted by attackers.
Steps
- Update the security group to allow HTTPS traffic (port 443) instead of HTTP (port 80).
- Configure the application and web server to use TLS for secure communication.
- Obtain and install a valid SSL/TLS certificate.
- Redirect any HTTP traffic to HTTPS at the application or load balancer level.
- Deploy the updated CloudFormation stack in AWS.
Secure Code Example
Resources:
WebSecurityGroupHTTPS:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTPS inbound traffic
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
WebInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0c94855ba95c574c8
InstanceType: t2.micro
SecurityGroupIds:
- !Ref WebSecurityGroupHTTPS
Tags:
- Key: Name
Value: HelloWorldThe updated code replaces HTTP with HTTPS by only allowing inbound traffic on port 443 (HTTPS). This ensures data transmission is encrypted using TLS. Make sure the application and web server are properly configured with a valid SSL/TLS certificate to support secure HTTPS connections.
References
Last updated
2025/04/04