How to secure for free your endpoints with AWS

This post continues the series launched long time ago with the first article about microservices. Supposing you have the best microservice ever that is deployed with Elastic Beanstalk. It has one or more endpoints that by default communicates through HTTP protocol. Let’s see how to add the security layer without any cost and without too much effort.

First of all, we need a service that responds to HTTP requests:

curl http://<your-endpoint>.elasticbeanstalk.com/hello?name=Cirrus
Hello, Cirrus. This is my first REST service!


The next step is to open the AWS Certificate Manager and to request a public certificate. In the domain name input, we add our domain, in our case app.cirrusup.cloud and we choose the email validation. More details can be found by reading the documentation. Our advice is to use DNS validation, even this requires deeper skills.

After that, we go to the EC2 Management Console, in the Load Balancer section and we are adding a new listener for HTTPS protocol and under SSL certificate column, by pressing Change, then Choose a certificate from ACM, we’ll find that one for our domain.

And the last step is to edit the inbound list for Elastic Beanstalk security group (in the same EC2 console) by allowing HTTPS traffic (from one or more sources, depending how restrictive you are).

Now we can test this setup works:

curl -k  https://<your-endpoint>.elasticbeanstalk.com/hello?name=Cirrus
Hello, Cirrus. This is my first REST service!
(-k option is to skip certificate validation).

Ideally, you should add a CNAME in your DNS from the certificate DNS (app.cirrusup.com) to your Elastic Beanstalk endpoint. If you do that, you’ll see that certificate validation works 😉

Hope this article was useful for you! If so, don’t hesitate to share it! If you encounter any obstacle, let a comment and we’ll be happy to help you!