Open menu
-->

AWS ALB (ELBv2) Security Policy

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 13 September 2018
Security

Risk level: Medium (should be achieved)

Ensure that your Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.

Using insecure and deprecated security policies for SSL negotiation configuration within your Application Load Balancers will expose the connection between the client and the load balancer to various SSL/TLS vulnerabilities. To maintain your ALBs SSL configuration secure, Cloud Conformity recommends using one of the latest predefined security policies released by Amazon Web Services: "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2016-08" or "ELBSecurityPolicy-TLS-1-1-2017-01". Note: Custom security policies are not allowed.

Audit

To determine if your load balancers are using deprecated security policies, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the Application Load Balancer that you want to examine.

05 Select the Listeners tab from the bottom panel to access the load balancer listeners configuration.

06 Select the HTTPS : 443 listener and verify its security policy name available within Security policy column. If the name of the policy is different than ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-2-Ext-2018-06, ELBSecurityPolicy-FS-2018-06 or ELBSecurityPolicy-TLS-1-1-2017-01, the security policy used employs outdated protocols and ciphers, therefore the selected ALB SSL negotiation configuration is insecure and vulnerable to exploits.

07 Repeat steps no. 4 – 6 for each AWS Application Load Balancers provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of all your Application Load Balancers available within the selected region:

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn | []'

02 The command output should return an array with the requested ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-alb/aaaabbbbccccdddd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-alb/aaaabbbbccccdddd"
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the ALB that you want to examine as identifier and custom query filters to expose the security policy used by the selected load balancer SSL negotiation configuration:

aws elbv2 describe-listeners
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-alb/aaaabbbbccccdddd
	--query 'Listeners[*].SslPolicy'

04 The command output should return the name of the security policy in use:

[
    "ELBSecurityPolicy-TLS-1-0-2015-04"
]

If the name of the policy returned by the describe-listeners command is different than ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-2-Ext-2018-06, ELBSecurityPolicy-FS-2018-06 or ELBSecurityPolicy-TLS-1-1-2017-01, the security policy used employs outdated protocols and ciphers, therefore the selected AWS ALB SSL negotiation configuration is insecure and vulnerable to exploits.

05 Repeat step no. 3 and 4 for each AWS Application Load Balancers provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To update your Application Load Balancers (ALBs) listeners configuration to use the latest predefined security policies, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the AWS ALB that you want to reconfigure (see Audit section part I to identify the right resource).

05 Choose the Listeners tab from the bottom panel.

06 Select the HTTPS : 443 listener, click the Actions dropdown button from the panel top menu and select Edit.

07 Inside Edit listeners dialog box, within Select Security Policy section, select one of the following policies from the Security policy dropdown list: ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-2-Ext-2018-06, ELBSecurityPolicy-FS-2018-06 or ELBSecurityPolicy-TLS-1-1-2017-01. Cloud Conformity recommends ELBSecurityPolicy-2016-08 policy for general use and ELBSecurityPolicy-TLS-1-2-Ext-2018-06, ELBSecurityPolicy-FS-2018-06, ELBSecurityPolicy-TLS-1-1-2017-01 policies to meet certain compliance and security standards. Click Save to apply the changes and return to the dashboard.

08 Repeat steps no. 4 – 7 to update the security policy for other AWS Application Load Balancers provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-listeners command (OSX/Linux/UNIX) using custom query filters to get the ARN of the HTTPS listener set for the AWS ALB that you want to reconfigure (see Audit section part II to identify the right resource):

aws elbv2 describe-listeners
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-alb/aaaabbbbccccdddd
	--query 'Listeners[?(Protocol == `HTTPS`)].ListenerArn | []'

02 The command output should return the requested listener ARN:

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-alb/aaaabbbbccccdddd/1234aaaa1234bbbb"
]

03 Run modify-listener command (OSX/Linux/UNIX) using the ARN of the HTTPS listener that you want to reconfigure as identifier to update its predefined security policy (in this case update it to ELBSecurityPolicy-2016-08):

aws elbv2 modify-listener
	--region us-east-1
	--listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-alb/aaaabbbbccccdddd/1234aaaa1234bbbb
	--ssl-policy ELBSecurityPolicy-2016-08

04 The command output should return the modified listener metadata:

{
    "Listeners": [
        {
            "Protocol": "HTTPS",
            "DefaultActions": [
                {
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/alb-target-group/1234aaaa1234bbbb",
                    "Type": "forward"
                }
            ],
            "SslPolicy": "ELBSecurityPolicy-2016-08",
            "Certificates": [
                {
                    "CertificateArn": "arn:aws:iam::123456789012:server-certificate/FrontendSSLCertificate"
                }
            ],
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-alb/aaaabbbbccccdddd",
            "Port": 443,
            "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-alb/aaaabbbbccccdddd/1234aaaa1234bbbb"
        }
    ]
}

05 Repeat steps no. 1 – 4 to update the security policy for other AWS Application Load Balancers provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

References

Publication date Nov 25, 2017