Geek Answers Handbook

Is ssl termination on AWS load balancer safe?

We have a web application running on an ec2 instance. We have added AWS ELB to route the entire request to the load balancing application. An SSL certificate has been applied to ELB.

My concern is whether the HTTP connection between the ELB instance and ec2 is secure. or should HTTPS be used between instances of ELB and ec2?

Does AWS provide secure HTTP communications between ELB and ec2 instances?

+7
amazon-web-services amazon-ec2 amazon-elb load-balancing
source share
2 answers

I answered a similar question once , but I would like to highlight some points:

  • Use a VPC with the appropriate security group settings (required) and network ACLs (optional).

  • Pay attention to the distribution of private keys. AWS simplified secure storage on its system and never used it on its servers. It's probably best to use self-signed certificates on your servers (reducing the chance of your real private keys leaking)

  • SSL is cheap these days (compute wise)

  • It all depends on your security requirements, rules and the degree of complexity that you are ready to undertake.

  • AWS provides some guarantees (see network section) against substituting / searching for information by other tenants, but the safe assumption is that a multi-tenant cloud environment is not 100% hygienic and you must encrypt.

  • A separate tenant instance (as suggested by @andreimarinescu) will not help, since the attack vector discussed here is the network between the ELB (common env) and your instance. (however, this may help against XEN zero days)

  • Long answer with a brief summary - encrypt.

+4
source share

Absolute control over security and cloud deployments are, in my opinion, two things that don't work very well.

Regarding traffic security between ELBs and EC2 instances, you should probably deploy your resources in VPCs to add a new level of isolation. AWS does not offer any security guarantees.

If the transferred data is too sensitive, you can also watch the deployment in a specialized data center, where you can have more control over the network aspects. In addition, you may want to look at single tenant instances on EC2, as you are likely to share your physical resources with other EC2 clients.

At the same time, one of the aspects that you should also consider: completing SSL is a rather expensive task, so completing SSL at the ELB level will allow your database instances to focus resources on the actual execution of queries, but this will also affect ELB (it will automatically scale, but he will have to do it faster, and you can see an increased delay, as it happens during traffic spikes).

+1
source share

More articles:


All Articles