2

I have a secure web API in the AWS cloud and I'm trying to figure out the best way to put it behind a load balancer without compromising security.

Right now, all communications are conventionally encrypted end-to-end. The API server has a Let's Encrypt certificate, which is used to treat all messages exchanged with clients. Unless the encryption is broken, nobody besides the server and its clients can view the raw contents of messages.

If I start using a load balancer and allow multiple instances of my server to run concurrently, I'll have to give up on LE and use centralized certificate management (e.g. ACM). AWS conveniently supports linking ACM-generated certificates to load balancer HTTPS listeners. This is especially useful for automatic renewal. However, the load balancer would then remove the encryption layer, and all communications with the instances of my server would be decrypted from that point on.

I'm not too comfortable having my raw data traveling in a public cloud. Still, I'd welcome a second opinion on this.

My question therefore is: Is it considered secure to have load balancer strip HTTPS encryption layer and forward all traffic as HTTP to internal server instances?

Since I can guess the answer, I would appreciate any suggestions on how to deploy load balancing securely.

Improve this question
7
  • The answer comes down to whether the AWS networking infrastructure creates an actual private network, and strangers on the Internet can't answer this for you. Amazon certainly says yes, but that may just mean that a vulnerability hasn't been found yet. Commented Aug 12, 2018 at 11:47
  • 2
    The phrase "public cloud" isn't an entirely fair description of the VPC network environment. What is the nature of the threat you are concerned about? If the answer to that question seems entirely too obvious, then you might be operating under some incorrect assumptions about the underlying network. Commented Aug 12, 2018 at 15:03
  • My question follows from the basic assumption that any network infrastructure should be considered insecure unless specific steps are taken to secure it. In this scenario, the most likely threat I can imagine is having a third party intercept or exploit (by e.g. MITM attack) unprotected communication between the load balancer and server instances in the target group. Commented Aug 12, 2018 at 15:19
  • Are you planning on using an application or classic ELB? Commented Aug 13, 2018 at 1:34
  • 1
    @PetrMánek In my case, I had ALB and Docker containers registered under a TargetGroup of ALB(With ECS). ALB was kind of sending traffic to containers over HTTP. We had to change containers to listen over HTTPS later. It was kind of hard to bring containers with hard coded certs and later I had changed docker entrypoint to download certs in run-time from ACM and initialize. Commented Aug 13, 2018 at 17:48

1 Answer 1

Reset to default
4

I consider it secure because each AWS VPC is isolated from another.

The traffic of one VPC cannot be captured in another VPC. Of course whether AWS VPC technology is secure remains to be seen as others have said.

Also check out the documentation from EBS about secure end-to-end encryption. It says that:

Terminating secure connections at the load balancer and using HTTP on the backend may be sufficient for your application. Network traffic between AWS resources cannot be listened to by instances that are not part of the connection, even if they are running under the same account.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Wow, that article is exactly what I needed. It even gives advice as to when one would want to use full E2E encryption; regulatory requirements.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.