Missing Tls on Aws

Missing TLS in AWS environments creates unique attack vectors that stem from the platform's distributed architecture and service integrations. When TLS is absent, attackers can exploit several AWS-specific vulnerabilities that wouldn't exist in traditional on-premises setups.

One common manifestation occurs in AWS API Gateway configurations where developers mistakenly deploy REST APIs with 'open' or 'IAM' authorization but forget to enforce HTTPS. This allows attackers to intercept API keys transmitted in plaintext during client-server communication. The problem compounds when these APIs are accessed through CloudFront distributions that aren't properly configured with HTTPS-only behaviors.

Another AWS-specific scenario involves S3 bucket policies that permit public access without requiring TLS. While the bucket itself might be private, if an application constructs S3 URLs without 'https://' prefixes, clients will communicate over unencrypted HTTP. This is particularly dangerous when S3 presigned URLs are generated without the 'https' scheme, exposing temporary credentials to network sniffing.

Elastic Load Balancing (ELB) misconfigurations frequently lead to TLS bypass. When listeners are configured with HTTP backends while accepting HTTPS frontend connections, traffic between the ELB and backend instances travels unencrypted. This creates a false sense of security since the client sees HTTPS, but the internal AWS network traffic remains vulnerable.

Lambda functions that invoke other AWS services without proper TLS verification represent another critical vector. When using AWS SDK clients with default configurations, some developers inadvertently disable certificate validation or use HTTP endpoints for services that support HTTPS. This is especially problematic in VPC-connected Lambda functions where traffic might traverse multiple AWS network segments.

Container-based services on ECS or EKS often suffer from TLS gaps when service discovery mechanisms use plaintext protocols. If services register with AWS Cloud Map or Route 53 using HTTP, subsequent service-to-service communications lack encryption, exposing inter-service APIs to eavesdropping within the AWS infrastructure.

The most sophisticated attacks target AWS's federated identity systems. When SAML assertions or Cognito tokens are transmitted without TLS between identity providers and AWS services, attackers can capture authentication tokens and impersonate legitimate users across the entire AWS account.

Detecting missing TLS in AWS requires a combination of configuration audits and runtime scanning that accounts for the platform's unique characteristics. The first step is examining AWS service configurations through infrastructure-as-code templates and console settings.

For API Gateway, check that all stages have 'Require HTTPS for invoke URL' enabled and that custom domain names use ACM certificates. Use the AWS CLI to audit: aws apigateway get-stages --rest-api-id <id> and verify 'accessLogSetting' configurations include proper TLS requirements.

S3 bucket policies need examination for 'aws:SecureTransport' conditions. A typical vulnerable policy allows public access without transport security: "Condition": {"StringNotEquals": {"aws:SecureTransport": "false"}}. Secure configurations should explicitly require "aws:SecureTransport": "true".

ELB and ALB configurations require checking listener protocols and target group settings. Use aws elbv2 describe-listeners to verify that HTTPS listeners have appropriate SSL policies and that target groups use HTTPS or TLS for backend connections. Look for mixed-protocol configurations where HTTPS terminates at the load balancer but HTTP continues to backend services.

Lambda functions need scanning for SDK client configurations. Check function code for patterns like new AWS.S3({ region: 'us-east-1', sslEnabled: false }) or endpoint: 'http://s3.amazonaws.com'. These configurations disable TLS at the SDK level, creating vulnerabilities regardless of network-level security.

middleBrick's AWS-specific scanning identifies these issues by testing actual API endpoints rather than just configuration files. It detects when services respond to HTTP requests, when TLS certificates are missing or expired, and when mixed-content scenarios exist. The scanner's black-box approach is particularly valuable because it catches runtime misconfigurations that IaC reviews might miss.

For comprehensive coverage, use middleBrick's CLI to scan all API endpoints: middlebrick scan https://api.example.com --output json. The tool provides detailed findings about missing TLS, certificate validity, and protocol support, with severity ratings that help prioritize remediation efforts.

Remediating TLS issues in AWS requires both configuration changes and code updates to ensure comprehensive coverage. Start with the most critical services and work systematically through your AWS infrastructure.

For API Gateway, enforce HTTPS at the stage level by setting 'requireHttps' to true in your OpenAPI specification: require_https: true. Update custom domain names to use ACM certificates and configure CloudFront distributions with 'Minimum Protocol Version' set to TLS 1.2 or higher.

S3 bucket policies should explicitly require secure transport: "Condition": {"Bool": {"aws:SecureTransport": "true"}}. For presigned URLs, always use the HTTPS scheme: s3.getSignedUrl('getObject', {Bucket: 'my-bucket', Key: 'file.txt', Expires: 300, Signer: new URL('https://s3.amazonaws.com')}).

ELB configurations need HTTPS listeners with strong SSL policies. For Application Load Balancers, use: aws elbv2 create-listener --load-balancer-arn <arn> --protocol HTTPS --port 443 --certificates CertificateArn=<cert> --default-actions Type=forward,TargetGroupArn=<tg>. Ensure target groups use HTTPS for backend connections when sensitive data is transmitted.

Lambda functions require careful SDK configuration. Always use HTTPS endpoints and enable certificate validation: const s3 = new AWS.S3({ region: 'us-east-1', httpOptions: { agent: new https.Agent({ rejectUnauthorized: true }) } }). For service-to-service calls, use AWS SDK's default HTTPS configuration rather than custom HTTP endpoints.

ECS and EKS services should use service discovery with TLS. Configure Cloud Map namespaces with DNSSEC and use mTLS between services. Update task definitions to include service mesh configurations that enforce encrypted communication channels.

For federated identity scenarios, ensure all SAML and Cognito communications use TLS 1.3. Configure identity providers to require HTTPS for all authentication flows and implement certificate pinning for critical integrations.

middleBrick can verify remediation effectiveness by rescanning endpoints after changes. Use the GitHub Action integration to automatically scan staging APIs before deployment: uses: middlebrick/middlebrick-action@v1 with a security score threshold that fails builds if TLS requirements aren't met.