CSP Compliance Manager 10.5.3 User Guide

Output Format

Certificate Scan Result

{
  "result_type": "scan",
  "plugin_id": "aws-elasticloadbalancer-plugin",
  "plugin_version": "1.1.0",
  "data": {
    "type": "cert",
    "timestamp": "2026-02-02T10:00:00Z",
    "urn": "urn:cert:sha256:...",
    "url": "https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#LoadBalancers:...",
    "extra": {
      "load_balancer_arn": "arn:aws:elasticloadbalancing:...",
      "load_balancer_name": "my-alb",
      "load_balancer_type": "application",
      "scheme": "internet-facing",
      "dns_name": "my-alb-123456789.us-east-1.elb.amazonaws.com",
      "listener_arn": "arn:aws:elasticloadbalancing:...",
      "listener_port": 443,
      "listener_protocol": "HTTPS",
      "ssl_policy": "ELBSecurityPolicy-TLS13-1-2-2021-06",
      "certificate_arn": "arn:aws:acm:...",
      "certificate_domain_name": "example.com",
      "certificate_status": "ISSUED",
      "is_default": true,
      "target_groups": [...],
      "ssl_policy_details": {...},
      "platform_type": "aws"
    },
    "cert_pem": "-----BEGIN CERTIFICATE-----\n..."
  }
}

Error Handling and Troubleshooting

Common Errors

1. Authentication Errors

Error Message:

Error: InvalidClientTokenId: The security token included in the request is invalid

Causes:

Incorrect Access Key ID
Incorrect Secret Access Key
Access Key has been deleted or rotated
Access Key is inactive

Resolution:

# Step 1: Verify credentials in config.json are correct
cat config.json

# Step 2: Re-generate access keys in AWS IAM console
# AWS Console → IAM → Users → Your User → Security Credentials → Create Access Key

# Step 3: Update config.json with new credentials

# Step 4: Re-run test command
./aws-elasticloadbalancer-plugin test -i config.json

2. Permission Errors

Error Message:

Error: AccessDenied: User is not authorized to perform: elasticloadbalancing:DescribeLoadBalancers

Causes:

IAM policies not attached to user
Policies are expired or have conditions
User doesn't have required permissions

Resolution:

Go to AWS IAM Console → Users → Your User
Click Add Permissions → Attach Existing Policies
Attach: ElasticLoadBalancingReadOnly + AWSCertificateManagerReadOnly
Wait 30 seconds for policy to propagate
Retry plugin test

3. Region Errors

Error Message:

Error: The region is not a valid AWS region

Causes:

Typo in region name
Region not enabled for your AWS account
Region doesn't exist

Resolution:

# Valid AWS regions:
us-east-1, us-west-1, us-west-2
eu-west-1, eu-central-1, eu-north-1
ap-southeast-1, ap-northeast-1, ap-south-1
ca-central-1, sa-east-1, ap-east-1

4. No Certificates Found

Error Message:

Scan completed: 0 assets found

This is normal if:

No load balancers exist in the region
Load balancers only have HTTP listeners (not HTTPS/TLS)
Certificates are not attached to listeners

Verification:

Go to AWS EC2 Console → Load Balancers
Check if any load balancers exist
Click on each load balancer → Listeners tab
Verify at least one HTTPS or TLS listener exists
Check if certificate is selected in listener configuration

Connection Troubleshooting

Error	Cause	Solution
`Unable to reach AWS`	Network connectivity	Check internet connection, firewall rules
`Connection timeout`	AWS service unavailable	Wait and retry, check AWS status page
`Certificate parsing failed`	Invalid PEM format	Ensure certificate is valid, use `openssl verify`
`Invalid JSON output`	Plugin error	Check plugin version, review logs

Validation Steps

Step 1: Verify Credentials

# Test with AWS CLI to ensure credentials work
aws iam get-user --profile default

Step 2: Verify Policies

# List policies attached to your user
aws iam list-attached-user-policies --user-name your-username

Step 3: Verify Load Balancers Exist

# List all load balancers in region
aws elbv2 describe-load-balancers --region us-east-1

Step 4: Verify HTTPS Listeners

# List all listeners for a specific load balancer
aws elbv2 describe-listeners --load-balancer-arn your-lb-arn --region us-east-1

Security Best Practices

Credential Management

Use AWS Managed Policies
- Easier to maintain
- AWS regularly updates for new services
- Least-privilege by design
Rotate Access Keys Regularly
- Rotate every 90 days
- Maintain two active keys for zero-downtime rotation
- Delete old keys after rotation verified
Use Temporary Credentials (STS)
- For production environments
- Use IAM roles for EC2/Lambda execution
- Set token expiration to 1-2 hours
Secure Configuration Files
- Never commit credentials to version control
- Use .gitignore for config files
- Store in secure credential manager (Vault, Secrets Manager)

Runtime Security

Enable CloudTrail: Monitor API calls
Use VPC Endpoints: Private connectivity to AWS services
Enable MFA: Multi-factor authentication for IAM users
Regular Audits: Review access patterns and permissions

Performance Optimization

Scan Performance

Factor	Impact	Optimization
Load balancer count	Direct	Run scans during off-peak hours
Region count	Linear	Parallelize scans across regions
Certificate complexity	Minimal	No optimization needed
API rate limits	Rare	Unlikely to hit AWS rate limits

Multi-Region Scanning

# Sequential (slow)
for region in us-east-1 eu-west-1 ap-southeast-1; do
  ./aws-elasticloadbalancer-plugin scan -i config-$region.json -o output-$region.json
done

# Parallel (fast)
for region in us-east-1 eu-west-1 ap-southeast-1; do
  ./aws-elasticloadbalancer-plugin scan -i config-$region.json -o output-$region.json &
done
wait

Supported Load Balancer Types

The plugin supports the following ELB load balancers:

Application Load Balancer (ALB)

Purpose: HTTP/HTTPS traffic distribution
Listener Protocols: HTTP, HTTPS
Certificate Support: ACM, IAM
SSL Policies: Supported (extract supported protocols/ciphers)
Target Types: Instance, IP, Lambda

Network Load Balancer (NLB)

Purpose: Ultra-high performance TCP/TLS
Listener Protocols: TLS, TCP, UDP
Certificate Support: ACM
SSL Policies: Supported
Target Types: Instance, IP, ALB

Classic Load Balancer (CLB)

Purpose: Legacy load balancing (deprecated)
Listener Protocols: HTTP, HTTPS, TCP, SSL
Certificate Support: ACM, IAM (limited)
SSL Policies: Basic support
Note: AWS recommends migration to ALB/NLB

Comparison: ALB vs NLB vs CLB

Feature	ALB	NLB	CLB
Layer	Layer 7	Layer 4	Layer 4/7
Use Case	Web apps	High performance	Legacy
Throughput	Moderate	Ultra-high	Low
Latency	Medium	Ultra-low	Higher
SSL Policy	Advanced	Advanced	Basic
Certificate Types	ACM, IAM	ACM	ACM, IAM
Recommended	YES	For performance	Deprecated

Version History

Version	Date	Changes
1.1.0	2026-02-03	Real AWS API integration, AWS managed policies, comprehensive error handling
1.0.0	2026-01-15	Initial POC with mock data

Support and Troubleshooting

For issues or questions:

Check this README - Most issues are covered in the Troubleshooting section
Verify AWS Permissions - Ensure IAM policies are correctly attached
Review Plugin Logs - Check console output for detailed error messages
Test Connection First - Always run test command before scan command
Review AWS Console - Verify load balancers and certificates exist in AWS

Additional Resources

AWS ELB Documentation: https://docs.aws.amazon.com/elasticloadbalancing/
AWS ACM Documentation: https://docs.aws.amazon.com/acm/
AWS IAM Documentation: https://docs.aws.amazon.com/iam/
SSL/TLS Certificates: https://tools.ietf.org/html/rfc7468
AWS SDKv2 for Go: https://github.com/aws/aws-sdk-go-v2