Open menu
-->

AWS ELB insecure SSL ciphers

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Check your Elastic Load Balancers Secure Socket Layer (SSL) negotiation configuration (security policy) for any cipher suites that demonstrate vulnerabilities or have been rendered insecure by recent exploits.

This rule resolution is part of the Cloud Conformity Security Package

Using insecure and deprecated ciphers for your ELB Predefined Security Policy or Custom Security Policy could make the SSL connection between the client and the load balancer vulnerable to exploits. If your ELB SSL negotiation configuration use outdated cipher suites, we highly recommend that you update it using the information provided in this guide (see Remediation/Resolution section).

Audit

To determine if your ELB Predefined Security Policy use insecure ciphers, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Listeners tab from the bottom panel.

06 In the Cipher column of the HTTPS listener, click Change:

Select listener from the Elastic Load Balancer

07 In the Select a Cipher dialog box, select one of the following configuration options:

  1. Predefined Security Policy:
    Scan the SSL Ciphers section: Scan the SSL Ciphers section associated with the currently used predefined security policy: Scan the SSL Ciphers section for any insecure / deprecated cipher definitions.
  2. Custom Security Policy:
    Scan the SSL Ciphers section: Scan the SSL Ciphers section associated with the existent custom security policy: Scan the SSL Ciphers section for any insecure / deprecated cipher definitions.
    The following list (ref.: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html) define all the insecure ciphers that require to be removed from your configuration:
    RC2-CBC-MD5
    PSK-AES256-CBC-SHA
    PSK-3DES-EDE-CBC-SHA
    KRB5-DES-CBC3-SHA
    KRB5-DES-CBC3-MD5
    PSK-AES128-CBC-SHA
    PSK-RC4-SHA
    KRB5-RC4-SHA
    KRB5-RC4-MD5
    KRB5-DES-CBC-SHA
    KRB5-DES-CBC-MD5
    EXP-EDH-RSA-DES-CBC-SHA
    EXP-EDH-DSS-DES-CBC-SHA
    EXP-ADH-DES-CBC-SHA
    EXP-DES-CBC-SHA
    EXP-RC2-CBC-MD5
    EXP-KRB5-RC2-CBC-SHA
    EXP-KRB5-DES-CBC-SHA
    EXP-KRB5-RC2-CBC-MD5
    EXP-KRB5-DES-CBC-MD5
    EXP-ADH-RC4-MD5
    EXP-RC4-MD5
    EXP-KRB5-RC4-SHA
    EXP-KRB5-RC4-MD5
    

Using AWS CLI

01 If a Predefined Security Policy is used

  1. Run describe-load-balancer-policies command (OSX/Linux/UNIX) to determine if the latest (secure) predefined policy "ELBSecurityPolicy-2016-08" is associated with your load balancer:
    aws elb describe-load-balancer-policies \
    	--load-balancer-name MyWebELB \
    	--policy-name ELBSecurityPolicy-2016-08
    
  2. The command output should expose the name of the predefined policy currently used:
    {
        "PolicyDescriptions": [
            {
                "PolicyAttributeDescriptions": [
                    {
                        "AttributeName": "Reference-Security-Policy",
                        "AttributeValue": "ELBSecurityPolicy-2016-08"
                    },
    
                    ...
    
                    {
                        "AttributeName": "ECDHE-ECDSA-AES128-GCM-SHA256",
                        "AttributeValue": "true"
                    }
                ],
                "PolicyName": "ELBSecurityPolicy-2016-08",
                "PolicyTypeName": "SSLNegotiationPolicyType"
            }
        ]
    }
    

02 If a Custom Security Policy is used

  1. To determine if any insecure ciphers are enabled in your custom policy, run the following command (OSX/Linux/UNIX) to list all the ciphers defined:
    aws elb describe-load-balancer-policies \
    	--load-balancer-name MyWebELB \
    	--output table
    
  2. The command output should expose all the cipher names used (true for active, false for inactive):
    ||+-------------------------------------+------------+||
    |||  ECDHE-ECDSA-AES128-GCM-SHA256      |  true      |||
    |||  ECDHE-RSA-AES128-GCM-SHA256        |  true      |||
    |||  ECDHE-ECDSA-AES128-SHA256          |  true      |||
    |||  ECDHE-RSA-AES128-SHA256            |  true      |||
    |||  ECDHE-ECDSA-AES128-SHA             |  false     |||
    |||  ECDHE-RSA-AES128-SHA               |  false     |||
    |||  DHE-RSA-AES128-SHA                 |  true      |||
    |||  ECDHE-ECDSA-AES256-GCM-SHA384      |  false     |||
    |||  ECDHE-RSA-AES256-GCM-SHA384        |  false     |||
    |||  ECDHE-ECDSA-AES256-SHA384          |  false     |||
    |||  ECDHE-RSA-AES256-SHA384            |  true      |||
    |||  ECDHE-RSA-AES256-SHA               |  true      |||
    |||  ECDHE-ECDSA-AES256-SHA             |  true      |||
    |||  AES128-GCM-SHA256                  |  false     |||
    |||  AES128-SHA256                      |  false     |||
    |||  AES128-SHA                         |  true      |||
    |||  EXP-KRB5-DES-CBC-MD5               |  false     |||
    |||  EXP-ADH-RC4-MD5                    |  false     |||
    |||  EXP-RC4-MD5                        |  false     |||
    |||  EXP-KRB5-RC4-SHA                   |  false     |||
    |||  EXP-KRB5-RC4-MD5                   |  false     |||
    ||+-------------------------------------+------------+||}
    

Remediation / Resolution

To remove any insecure cipher definitions from your ELB SSL negotiation settings, you need to perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Listeners tab from the bottom panel.

06 In the Cipher column of the HTTPS listener click Change:

Select the Listeners tab from the bottom panel.

07 In the Select a Cipher dialog box, select one of the following options configurations:

  1. Predefined Security Policy:
    Select the latest predefined security policy from the list named "ELBSecurityPolicy-2016-08": Select the latest predefined security policy from the list. and then click Save.
  2. Custom Security Policy:
    Uncheck any insecure / deprecated ciphers from the SSL Ciphers section: Uncheck any insecure / deprecated ciphers from the SSL Ciphers section found during the audit process (see Audit I.7.b.) and then click Save.

Using AWS CLI

01 If a Predefined Security Policy is used

  1. Run describe-load-balancer-policies command (OSX/Linux/UNIX) to list the predefined security policies provided by AWS:
    aws elb describe-load-balancer-policies \
    	--query "PolicyDescriptions[?PolicyTypeName=='SSLNegotiationPolicyType'].{PolicyName:PolicyName}" \
    	--output table
    
  2. The command output should expose the names of the predefined policies used by ELB:
    -----------------------------------------------
    |        DescribeLoadBalancerPolicies         |
    +---------------------------------------------+
    |                 PolicyName                  |
    +---------------------------------------------+
    |  ELBSecurityPolicy-2016-08                  |
    |  ELBSecurityPolicy-2015-05                  |
    |  ELBSecurityPolicy-2015-03                  |
    |  ELBSecurityPolicy-2015-02                  |
    |  ELBSecurityPolicy-2014-10                  |
    |  ELBSecurityPolicy-2014-01                  |
    |  ELBSecurityPolicy-2011-08                  |
    |  ELBSample-ELBDefaultNegotiationPolicy      |
    |  ELBSample-OpenSSLDefaultNegotiationPolicy  |
    +---------------------------------------------+
    
  3. Use create-load-balancer-policy command (OSX/Linux/UNIX) to create a predefined security policy using one of the SSL configurations listed in the previous step. We highly recommend that you use the latest predefined policy for your ELB (named "ELBSecurityPolicy-2016-08" in this case):
    aws elb create-load-balancer-policy \
    	--load-balancer-name MyWebELB \
    	--policy-name MyELBCustomSecurityPolicy \
    	--policy-type-name SSLNegotiationPolicyType \
    	--policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2016-08
    

02 If a Custom Security Policy is used:

  1. To create a custom ELB SSL security policy that contains secure ciphers (example: ECDHE-RSA-AES128-SHA) use create-load-balancer-policy command (OSX/Linux/UNIX):
    aws elb create-load-balancer-policy \
    	--load-balancer-name MyWebELB \
    	--policy-name MyCustomSSLNegotiationPolicy \
    	--policy-type-name SSLNegotiationPolicyType \
    	--policy-attributes AttributeName=Protocol-TLSv1.2,AttributeValue=true AttributeName=Protocol-TLSv1.1,AttributeValue=true AttributeName=ECDHE-RSA-AES128-SHA,AttributeValue=true AttributeName=Server-Defined-Cipher-Order,AttributeValue=true
    
  2. To expose all the cipher names used run describe-load-balancer-policies command again (OSX/Linux/UNIX):
    aws elb describe-load-balancer-policies \
    	--load-balancer-name MyWebELB \
    	--policy-names MyCustomSSLNegotiationPolicy \
    	--output table
    
  3. The command output should expose all the cipher names used in your custom policy (true for active, false for inactive):
    ||+-------------------------------------+--------------------+||
    |||  ECDHE-ECDSA-AES128-GCM-SHA256      |  false             |||
    |||  ECDHE-RSA-AES128-GCM-SHA256        |  false             |||
    |||  ECDHE-RSA-AES128-SHA256            |  false             |||
    |||  ECDHE-ECDSA-AES128-SHA             |  false             |||
    |||  ECDHE-RSA-AES128-SHA               |  true              |||
    |||  EXP-KRB5-RC4-SHA                   |  false             |||
    |||  EXP-KRB5-RC4-MD5                   |  false             |||
    ||+-------------------------------------+--------------------+||
    

References

Publication date Oct 13, 2016