01
Sign in to your Cloud Conformity console, access Enable Latest SSL Security Policy for Web-Tier ELBs conformity rule settings and copy the tag set defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).
02
Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs provisioned in the selected AWS region:
aws elb describe-load-balancers
--region us-east-1
--output table
--query 'LoadBalancerDescriptions[*].LoadBalancerName'
03
The command output should return a table with the requested ELB names:
-------------------------
| DescribeLoadBalancers |
+-----------------------+
| cc-web-tier-elb |
| cc-project5-elb |
+-----------------------+
04
Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the selected ELB resource:
aws elb describe-tags
--region us-east-1
--load-balancer-name cc-web-tier-elb
--query 'TagDescriptions[*].Tags[]'
05
The command request should return one of the following outputs:
-
If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified ELB is not tagged, therefore the audit process for the selected resource ends here:
-
If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified ELB does not belong to your web tier, therefore the audit process for the selected resource ends here:
[
{
"Value": "Owner",
"Key": "Web Stack Manager"
}
]
-
If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified AWS ELB is tagged as a web-tier resource, therefore the audit process continues with the next step:
[
{
"Value": "<web_tier_tag_value>",
"Key": "<web_tier_tag>"
}
]
06
Run describe-load-balancer-policies command (OSX/Linux/UNIX) using the name of the web-tier ELB identified at the previous step to expose the name of the SSL negotiation policy used by the selected web-tier ELB HTTPS/SSL listener:
aws elb describe-load-balancer-policies
--region us-east-1
--load-balancer-name cc-web-tier-elb
--query 'PolicyDescriptions[*].PolicyName'
07
The command output should return the name of the negotiation policy in use:
[
"AWSConsole-SSLNegotiationPolicy-cc-web-tier-elb-123456789012",
]
08
Execute again describe-load-balancer-policies command (OSX/Linux/UNIX) using the name of the SSL negotiation policy returned at the previous step as identifier to describe the policy metadata and determine if the selected web-tier ELB is using the latest SSL security policy:
aws elb describe-load-balancer-policies
--region us-east-1
--load-balancer-name cc-web-tier-elb
--query 'PolicyDescriptions[*].PolicyName'
--policy-name AWSConsole-SSLNegotiationPolicy-cc-web-tier-elb-123456789012
09
The command output should return the configuration metadata for the selected SSL negotiation policy:
{
"PolicyDescriptions": [
{
"PolicyAttributeDescriptions": [
{
"AttributeName": "Reference-Security-Policy",
"AttributeValue": "ELBSecurityPolicy-2015-05"
},
...
{
"AttributeName": "EXP-KRB5-RC4-MD5",
"AttributeValue": "false"
}
],
"PolicyName": "AWSConsole-SSLNegotiationPolicy-cc-web-tier-elb",
"PolicyTypeName": "SSLNegotiationPolicyType"
}
]
}
To determine the name of the SSL security policy in use, search the command output returned for the
AttributeName parameter named
Reference-Security-Policy and its correspondent
AttributeValue value (highlighted). If the
AttributeValue parameter value is different than the name of the latest security policy available (the latest policy released by AWS can be identified by the date added to its name or by using
this URL), the listener SSL negotiation configuration set for the selected web-tier ELB is insecure and vulnerable to exploits. If the
AttributeValue parameter value returned is different than the name of the predefined security policies listed at
this URL, the policy used is custom and most likely not updated which makes it vulnerable to exploits. AWS predefined security policies are always preferred over custom security policies as the ones released by AWS use the most secure SSL protocols and ciphers.
10
Repeat steps no. 4 – 9 to check the SSL negotiation configuration for other load balancers created for your web tier in the selected AWS region.
11
Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 10 to perform the audit process for other regions.