This test is located in the [Engineering] category, and can be accessed via the link below:
https://app.vanta.com/tests?tab=Engineering#load-balancer-http-to-https

The test will determine if you have at least one dedicated HTTP ALB Listener created on your Application Load Balancer that redirects (301 permanent) to HTTPS. If no dedicated Listener is detected on your ALB, then the test will fail. If no ALB is detected at all, then the test will N/A and deactivate.

 

 

Prerequisites

  • AWS As a connected Cloud Provider
  • At least one Application Load Balancer created

 

Procedure

  1. Navigate to your AWS Console.
  2. Search for "EC2" in the search tool and select it
  3. On the left hand side navigation menu, scroll down and select "Load Balancers"mceclip0.png
  4. Select your desired ALB, and under the "Listeners" tab click Add Listener
    mceclip1.png
  5. When creating your Listener, Be sure the 3 highlighted options below are configured as seen here. Url configuration is up to you, so long as these options are selected. Click Add
    mceclip2.png
  6. Once complete, your Listener should appear like below on the Load Balancers page
    mceclip3.png
  7. Now you can return to the test and either wait for it to refresh(up to 24 hours), or initiate a manual refresh(15 - 60 minutes). Once refreshed, your test should be passing!
    mceclip4.png

 

Common Issues

The test is failing even though I have a load balancer that redirects HTTP to HTTPS:

This is a common point of failure when attempting to pass the test. If you already have an ALB Listener that looks like it should be passing but isn't, try the troubleshooting method below:
mceclip5.png
Check the "Rules" on that Listener, via "View/edit Rules". Likely, the listener has additional Rules other than the one that Redirects to HTTPS
mceclip6.png
This interferes with our ability to evaluate the listener, even if the listener is functioning correctly on a technical level. Thus, to correct this, remove all other rules from the listen aside from the redirect.

You can workaround this by creating another listener on the ALB for those actions performed by the additional rules, as long as one listener is dedicated to an HTTP Redirect you will pass the test.

 

 

 

Additional Resources