Use of an insecure channel

Use of an insecure channel - HTTP

Need

Secure transmission of client information

Context

• Usage of CloudFormation for Infrastructure as Code (IaC)

• Usage of AWS SDK for interacting with Amazon Web Services

Description

1. Non compliant code

Resources:
  WebSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTP inbound traffic
      SecurityGroupIngress:
        - IpProtocol: tcp
          ToPort: 80...

The above CloudFormation code creates an EC2 instance and a security group that allows inbound HTTP traffic (port 80) from any source (0.0.0.0/0). This configuration is vulnerable because HTTP transmits data in plain text without encryption, allowing sensitive information to be easily intercepted by attackers.

2. Steps

• Update the security group to allow HTTPS traffic (port 443) instead of HTTP (port 80).

• Configure the application and web server to use TLS for secure communication.

• Obtain and install a valid SSL/TLS certificate.

• Redirect any HTTP traffic to HTTPS at the application or load balancer level.

• Deploy the updated CloudFormation stack in AWS.

3. Secure code example

Resources:
  WebSecurityGroupHTTPS:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTPS inbound traffic
      SecurityGroupIngress:
        - IpProtocol: tcp
          ToPort: 443...

The updated code replaces HTTP with HTTPS by only allowing inbound traffic on port 443 (HTTPS). This ensures data transmission is encrypted using TLS. Make sure the application and web server are properly configured with a valid SSL/TLS certificate to support secure HTTPS connections.

References

• 372. Use of an insecure channel - HTTP

On this page