Open menu
-->

AWS ELB insecure SSL protocols

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 28 November 2017
Security

Risk level: Medium (should be achieved)

Check your Elastic Load Balancers Secure Sockets Layer (SSL) negotiation configuration for SSLv2, SSLv3, and TLSv1 insecure / deprecated SSL protocols

This rule resolution is part of the Cloud Conformity Security Package

Using insecure and deprecated protocols for your ELB Predefined Security Policy or Custom Security Policy could make the connection between the client and the load balancer vulnerable to exploits such as DROWN (Decrypting RSA using Obsolete and Weakened eNcryption), which targets a specific weakness in the OpenSSL implementation of SSLv2 protocol and POODLE (Padding Oracle On Downgraded Legacy Encryption).
This vulnerability allows an attacker to read information encrypted with SSLv3 protocol in plain text, using a man-in-the-middle attack. If your existent ELB SSL negotiation configuration use Protocol-SSLv2 and/or Protocol-SSLv3 and/or Protocol-TLSv1 (PCI council require TLS1.0 to be turned off soon), we highly recommend updating it using the information provided in this guide (see Remediation/Resolution section).
Note: ELBSecurityPolicy-2016-08 predefined security policy includes Protocol-TLSv1 which is considered insecure.

Audit

To determine if your ELB Predefined Security Policy use insecure protocols, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Listeners tab from the bottom panel.

06 In the Cipher column of the HTTPS listener click Change:

Column of the HTTPS listener

07 In the Select a Cipher dialog box, select one of the following configuration options:

  1. Predefined Security Policy:
    Search in the SSL Protocols section: Search in the SSL Protocols section associated with the enabled predefined security policy: Association with the enabled predefined security policy for any active Protocol-SSLv2,Protocol-SSLv3, and Protocol-TLSv1 definitions. The following document defines the SSL protocols used by AWS for the ELB predefined security policies: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html
  2. Custom Security Policy:
    Scan the SSL Protocols section:
    Scan the SSL Protocols section associated with your existent custom security policy: Association with your existent custom security policy for any active Protocol-SSLv2, Protocol-SSLv3, and Protocol-TLSv1 definitions.

Using AWS CLI

01 If a Predefined Security Policy is used

  1. Run describe-load-balancer-policies command (OSX/Linux/UNIX) to determine if the enabled predefined policy associated with your load balancer (in this case "ELBSecurityPolicy-2014-01”) includes SSLv2 and/or SSLv3 insecure protocols:
    aws elb describe-load-balancer-policies \
    	--load-balancer-name MyWebELB \
    	--policy-name ELBSecurityPolicy-2014-01
    
  2. The command output should expose any insecure protocols used (true for active, false for inactive):
    {
        "PolicyDescriptions": [
            {
                "PolicyAttributeDescriptions": [
                    {
                        "AttributeName": "Reference-Security-Policy",
                        "AttributeValue": "ELBSecurityPolicy-2014-01"
                    },
    
                    {
                        "AttributeName": "Protocol-TLSv1",
                        "AttributeValue": "true"
                    },
                    {
                        "AttributeName": "Protocol-SSLv3",
                        "AttributeValue": "true"
                    },
                    {
                        "AttributeName": "Protocol-TLSv1.1",
                        "AttributeValue": "true"
                    },
                    {
                        "AttributeName": "Protocol-TLSv1.2",
                        "AttributeValue": "true"
                    },
                    ...
                ],
                "PolicyName": "ELBSecurityPolicy-2014-01",
                "PolicyTypeName": "SSLNegotiationPolicyType"
            }
        ]
    }
    

02 If a Custom Security Policy is used

  1. To determine if any insecure SSL protocols are enabled in your custom policy, run the following command (OSX/Linux/UNIX):
    aws elb describe-load-balancer-policies \
    	--load-balancer-name MyWebELB \
    	--output table
    
  2. The command output should expose all SSL protocols used in your custom policy (true for active, false for inactive):
    ||+------------------------------------------+-------------+||
    |||  Protocol-TLSv1                          |  true       |||
    |||  Protocol-SSLv3                          |  true       |||
    |||  Protocol-TLSv1.1                        |  true       |||
    |||  Protocol-TLSv1.2                        |  true       |||
    |||  Server-Defined-Cipher-Order             |  true       |||
    ||+------------------------------------------+-------------+||}
    

Remediation / Resolution

To remove any insecure protocol definitions from your ELB SSL negotiation settings, you need to perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Listeners tab from the bottom panel.

06 In the Cipher column of the HTTPS listener click Change:

Column of the HTTPS listener

07 In the Select a Cipher dialog box, select one of the following options configurations:

08 Predefined Security Policy:
Select the latest predefined security policy from the list named ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01 or ELBSecurityPolicy-2016-08:

Select the latest predefined security policy from the list

and then click Save. The selected predefined policy does NOT include the Protocol-SSLv2, Protocol-SSLv3, and Protocol-TLSv1 unsafe protocols.

09 Custom Security Policy:
Uncheck Protocol-SSLv2 and/or Protocol-SSLv3 and/or Protocol-TLSv1 from the SSL Protocols section:

Uncheck Protocol-SSLv2 and/or Protocol-SSLv3 and/or Protocol-TLSv1 from the SSL Protocols section:

found in your SSL custom policy and then click Save.

Using AWS CLI

01 If a Predefined Security Policy is used:

  1. Run describe-load-balancer-policies command (OSX/Linux/UNIX) to list all predefined security policies currently provided by AWS ELB:
    aws elb describe-load-balancer-policies \
    	--query "PolicyDescriptions[?PolicyTypeName=='SSLNegotiationPolicyType']  .{PolicyName:PolicyName}" \
    	--output table
    
  2. The command output should return the names of the predefined policies used by ELB:
    -----------------------------------------------
    |        DescribeLoadBalancerPolicies         |
    +---------------------------------------------+
    |                 PolicyName                  |
    +---------------------------------------------+
    |  ELBSecurityPolicy-2016-08                  |
    |  ELBSecurityPolicy-TLS-1-2-2017-01          |
    |  ELBSecurityPolicy-TLS-1-1-2017-01          |
    |  ELBSecurityPolicy-2015-05                  |
    |  ELBSecurityPolicy-2015-03                  |
    |  ELBSecurityPolicy-2015-02                  |
    |  ELBSecurityPolicy-2014-10                  |
    |  ELBSecurityPolicy-2014-01                  |
    |  ELBSecurityPolicy-2011-08                  |
    |  ELBSample-ELBDefaultNegotiationPolicy      |
    |  ELBSample-OpenSSLDefaultNegotiationPolicy  |
    +---------------------------------------------+
    
  3. Use create-load-balancer-policy command (OSX/Linux/UNIX) to create a secure predefined policy using one of the SSL configurations listed in the previous step. We highly recommend that you use the latest predefined policy, named "ELBSecurityPolicy-2016-08".

    - IMPORTANT: Avoid using ELBSecurityPolicy-2011-08 and ELBSecurityPolicy-2014-01 policies, as these contain the SSLv3 protocol which is currently rendered as insecure.
    aws elb create-load-balancer-policy \
    	--load-balancer-name MyWebELB \
    	--policy-name MyELBCustomSecurityPolicy \
    	--policy-type-name SSLNegotiationPolicyType \
    	--policy-attributes AttributeName=Reference-Security-Policy, AttributeValue=ELBSecurityPolicy-2016-08
    

02 If a Custom Security Policy is used:

  1. To create a custom ELB SSL security policy that contains only secure and updated protocols use create-load-balancer-policy command (OSX/Linux/UNIX):
    aws elb create-load-balancer-policy \
    	--load-balancer-name MyWebELB \
    	--policy-name MyCustomSSLSecurityPolicy \
    	--policy-type-name SSLNegotiationPolicyType \
    	--policy-attributes AttributeName=Protocol-TLSv1.2,AttributeValue=true \
    		AttributeName=Protocol-TLSv1.1,AttributeValue=true \
    		AttributeName=ECDHE-RSA-AES128-SHA,AttributeValue=true \
    		AttributeName=Server-Defined-Cipher-Order,AttributeValue=true
    
  2. To expose the protocols enabled at policy creation run describe-load-balancer-policies command (OSX/Linux/UNIX):
    >aws elb describe-load-balancer-policies \
    	--load-balancer-name MyWebELB \
    	--policy-names MyCustomSSLSecurityPolicy \
    	--output table
    
  3. The command output should expose all SSL protocols used by the custom policy (true for active / secure, false for inactive / insecure):
    ||+-----------------------------------+-------------------+||
    |||  Protocol-SSLv3                   |  false            |||
    |||  Protocol-TLSv1.1                 |  true             |||
    |||  Protocol-TLSv1.2                 |  true             |||
    |||  Server-Defined-Cipher-Order      |  true             |||
    ||+-----------------------------------+-------------------+||
    

References

Publication date Oct 13, 2016