Open menu
-->

AWS Network Load Balancer (ELBv2) Security Policy

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your Amazon Network Load Balancers (NLBs) are using the latest recommended predefined security policy for TLS negotiation configuration in order to protect their front-end connections against TLS vulnerabilities and meet security requirements.

Using a deprecated security policy for TLS negotiation configuration within your Network Load Balancers will expose the connection between the client and the load balancer to various vulnerabilities. To maintain your Amazon NLBs TLS configuration secure, Cloud Conformity recommends using one of the latest predefined security policies released by Amazon Web Services: "ELBSecurityPolicy-2016-08" for general use, "ELBSecurityPolicy-FS-2018-06" to support Forward Secrecy (FS) and "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" to use the latest TLS 1.2 protocol with the same set of secure ciphers as the one used by the "ELBSecurityPolicy-2016-08" policy. Note: AWS Network Load Balancers do not support custom security policies.

Audit

To determine if your Amazon NLBs are using security policies with deprecated ciphers, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the Network Load Balancer that you want to examine.

05 Select the Listeners tab from the bottom panel to access the load balancer listeners configuration.

06 Select the TLS : 443 listener and verify the name of the associated security policy available in the Security policy column. If the name of the policy is different than ELBSecurityPolicy-2016-08, ELBSecurityPolicy-FS-2018-06 or ELBSecurityPolicy-TLS-1-2-Ext-2018-06, the security policy used employs outdated protocols and ciphers, therefore the selected Amazon NLB TLS negotiation configuration is vulnerable to exploits.

07 Repeat steps no. 4 – 6 for each AWS Network Load Balancers provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of all your Network Load Balancers available in the selected region:

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn | []'

02 The command output should return an array with the requested ARN(s):

[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internal-nlb/abcd1234abcd1234"
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the AWS NLB that you want to examine as identifier and custom query filters to reveal the security policy used by the selected load balancer TLS negotiation configuration:

aws elbv2 describe-listeners
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd
	--query 'Listeners[*].SslPolicy'

04 The command output should return the name of the security policy in use:

[
    "ELBSecurityPolicy-TLS-1-0-2015-04"
]

If the name of the policy returned by the describe-listeners command output is different than ELBSecurityPolicy-2016-08, ELBSecurityPolicy-FS-2018-06 or ELBSecurityPolicy-TLS-1-2-Ext-2018-06, the implemented security policy utilizes outdated protocols and ciphers, therefore the selected Amazon NLB TLS negotiation configuration is vulnerable to exploits.

05 Repeat step no. 3 and 4 for each AWS Network Load Balancers available within the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To update your Amazon Network Load Balancers (NLBs) listeners configuration in order to use the latest predefined and recommended security policy, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the AWS NLB that you want to reconfigure (see Audit section part I to identify the right resource).

05 Choose the Listeners tab from the dashboard bottom panel.

06 Select the TLS : 443 listener, then click the Edit button to initiate the configuration editing process.

07 On Listeners page, select one of the following policies from the Security policy dropdown list based on your requirements: ELBSecurityPolicy-2016-08 for general use (default), ELBSecurityPolicy-FS-2018-06 if Forward Secrecy (FS) is required, or ELBSecurityPolicy-TLS-1-2-Ext-2018-06 to use the latest TLS 1.2 protocol and meet certain security standards. Once the policy is selected, click Update to apply the configuration changes. Click < (Back) to return to the ELB dashboard.

08 Repeat steps no. 4 – 7 to reconfigure other AWS Network Load Balancers, provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-listeners command (OSX/Linux/UNIX) using custom query filters to return the ARN of the TLS listener set for the Network Load Balancer that you want to reconfigure (see Audit section part II to identify the right AWS NLB):

aws elbv2 describe-listeners
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd
	--query 'Listeners[?(Protocol == `TLS`)].ListenerArn | []'

02 The command output should return the requested Amazon Resource Name (ARN):

[    
"arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-internet-facing-nlb/abcdabcdabcdabcd/01234567abcdabcd"
]

03 Run modify-listener command (OSX/Linux/UNIX) using the ARN of the TLS listener returned at the previous step as identifier to update its predefined security policy based on your needs, e.g. "ELBSecurityPolicy-2016-08" for general use, "ELBSecurityPolicy-FS-2018-06" for Forward Secrecy (FS) support or "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" for the latest TLS 1.2 protocol. The following command example updates the specified listener configuration to use the security policy named "ELBSecurityPolicy-2016-08":

aws elbv2 modify-listener
	--region us-east-1
	--listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-internet-facing-nlb/abcdabcdabcdabcd/01234567abcdabcd
	--ssl-policy ELBSecurityPolicy-2016-08

04 The command output should return the modified TLS listener metadata:

{
    "Listeners": [
        {
            "Protocol": "TLS",
            "DefaultActions": [
                {
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/abcd1234abcd1234",
                    "Type": "forward",
                    "Order": 1
                }
            ],
            "SslPolicy": "ELBSecurityPolicy-2016-08",
            "Certificates": [
                {
                    "CertificateArn": "arn:aws:iam::123456789012:server-certificate/cc-frontend-certificate"
                }
            ],
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd",
            "Port": 443,
            "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-internet-facing-nlb/abcdabcdabcdabcd/01234567abcdabcd"
        }
    ]
} 

05 Repeat steps no. 1 – 4 to reconfigure other AWS Network Load Balancers, available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.

References

Publication date Mar 1, 2019