Ismail Kovvuru

Posted on Jun 12

Enterprise SSL Termination on AWS ELB: Automate HTTPS with ACM, Terraform & CI/CD

#aws #devops #kubernetes #discuss

How to Attach an SSL Certificate to AWS ELB (HTTPS Guide)

Learn how to attach an SSL certificate to AWS ELB using enterprise-grade workflows, HTTPS termination, IAM roles, Terraform automation, and monitoring best practices.

Why HTTPS Termination at the ELB Matters

In modern cloud environments, security is essential — not an afterthought. HTTPS ensures data is encrypted in transit, and managing SSL termination at the AWS Elastic Load Balancer (ELB) simplifies operations while meeting enterprise security standards.

Benefits of SSL at ELB:

Offloads SSL work from app servers
Centralized certificate management
Better scalability and maintainability
Compatible with CI/CD and automation workflows

What Is SSL Termination?

SSL Termination means the SSL handshake (encryption/decryption) ends at the load balancer. This allows the traffic to reach backend servers as plain HTTP — unless re-encrypted internally.

✔️ Supported in both:

Application Load Balancer (ALB)
Network Load Balancer (NLB) with TLS

Enterprise Certificate Workflow (ACM Integration)

Here's the typical flow of how SSL certificates are handled in an enterprise using AWS Certificate Manager (ACM):

Cybersecurity Team  →  Issues Certificate via ACM
      ↓
AWS Control Manager → Receives Certificate Email
      ↓
DevOps Team         → Uses Certificate ARN in ELB Listener Setup

Step-by-Step: Attach SSL to AWS ELB

Prerequisites

ELB already created
SSL certificate available in AWS ACM
IAM permissions to modify ELB and access ACM

Step 1: Find Certificate ARN

aws acm list-certificates

You’ll receive an ARN like:

arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234-xyz

Step 2: Add HTTPS Listener via Console

Navigate to your ALB
Go to Listeners > Add Listener
Select HTTPS (443)
Choose your SSL certificate
Attach it to your Target Group

Done!

Step 3: Automate with Terraform

resource "aws_lb_listener" "https" {
  load_balancer_arn = aws_lb.my_alb.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
  certificate_arn   = var.ssl_certificate_arn

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.my_service.arn
  }
}

Step 4: Add IAM Permissions (for CI/CD)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "acm:ListCertificates",
        "acm:DescribeCertificate",
        "elasticloadbalancing:CreateListener",
        "elasticloadbalancing:ModifyListener"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Real-World Example: Securing a Banking App

For example while working on a cloud-native banking app, we needed SSL offloading for a staging environment. Using ACM, we requested a wildcard SSL (*.staging.bankapp.com) and provisioned it via Terraform. We implemented auto-renewal checks using a Lambda trigger and setup CloudWatch alerts for certificate expiry 30 days in advance — saving us from potential outages.

CI/CD with GitHub Actions (SSL & ELB Deployments)

name: Deploy ELB with SSL

on:
  push:
    branches: [ main ]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2

      - name: Terraform Init & Apply
        run: |
          terraform init
          terraform apply -auto-approve
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_KEY }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET }}

Monitoring: CloudWatch for SSL Health

Don’t stop at deployment — ensure runtime security.

Use CloudWatch Alarms to track:
- TLSNegotiationErrorCount
- UnhealthyHostCount
Use Lambda to check for certificate expiry
Set SNS alerts for expiring SSL certs (e.g., <30 days)

Common Errors & Fixes

❌ Issue	🛠️ Fix
Certificate not showing	Ensure it's in the same AWS region
Invalid ARN	Double-check ACM and ELB region match
Port 443 not open	Check Security Group & Listener settings
Permissions denied	Attach proper IAM roles in your CI/CD tool

Tip: Multi-Environment Setup

Use variables per workspace in Terraform:

variable "certificate_arn" {
  description = "SSL ARN per environment"
  type        = string
}

Conclusion

SSL termination at the ELB level is a standard for scalable, secure, and reliable infrastructure in AWS.
As for DevOps engineer, automating this process with Terraform and monitoring it with CloudWatch completes the security lifecycle.

Top comments (1)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.