Securing HTTP Methods in AWS ALB

Leave a reply

Many times people would just open all traffic on ALB and pass it on to the application. This is a security issue. If you want to just allow GET, HEAD and OPTIONS .. and not others like POST or DELETE to your site, it is better to do that in the Application Load Balancer’s Listener Rules.

Here I am using the Cloudformation template ( YAML ) to block everything with a HTTP code 405 on the Default actions and then adding a Custom rule to allow only GET , HEAD and OPTIONS . 

   HTTPSListener:
    Type: 'AWS::ElasticLoadBalancingV2::Listener' 
    Properties:
      Certificates:
        - CertificateArn: !Ref SSLARN
      SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
      DefaultActions:
        - Type: fixed-response
          FixedResponseConfig:
            StatusCode: 405
            ContentType: "text/plain"
            MessageBody: "Invalid Request."
      LoadBalancerArn: !Ref LoadBalancer
      Port: 443
      Protocol: HTTPS
  HTTPSFilter1:
    Type: AWS::ElasticLoadBalancingV2::ListenerRule
    Properties:
      Actions:
        - Type: forward
          TargetGroupArn: !Ref TargetGrp
      Conditions:
        - Field: http-request-method
          HttpRequestMethodConfig:
            Values:
              - GET
              - HEAD
              - OPTIONS
      ListenerArn: !Ref HTTPSListener
      Priority: 1

You could do the same in the UI, by going to EC2 -> Loadbalancers. Select your ALB, then go to Listeners tab, click on view/edit rules. Then add rules accordingly. Remember to change the default rule to Deny all.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.