ELB Insecure SSL Protocols

Risk level: Medium (should be achieved)

Rule ID: ELB-005

Check your Elastic Load Balancers Secure Sockets Layer (SSL) negotiation configuration for SSLv2, SSLv3, and TLSv1 insecure / deprecated SSL protocols

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using insecure and deprecated protocols for your ELB Predefined Security Policy or Custom Security Policy could make the connection between the client and the load balancer vulnerable to exploits such as DROWN (Decrypting RSA using Obsolete and Weakened eNcryption), which targets a specific weakness in the OpenSSL implementation of SSLv2 protocol and POODLE (Padding Oracle On Downgraded Legacy Encryption).
This vulnerability allows an attacker to read information encrypted with SSLv3 protocol in plain text, using a man-in-the-middle attack. If your existent ELB SSL negotiation configuration use Protocol-SSLv2 and/or Protocol-SSLv3 and/or Protocol-TLSv1 (PCI council require TLS1.0 to be turned off soon), we highly recommend updating it using the information provided in this guide (see Remediation/Resolution section).
Note: ELBSecurityPolicy-2016-08 predefined security policy includes Protocol-TLSv1 which is considered insecure.

Audit

To determine if your ELB Predefined Security Policy use insecure protocols, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Listeners tab from the bottom panel.

06 In the Cipher column of the HTTPS listener click Change:

07 In the Select a Cipher dialog box, select one of the following configuration options:

Predefined Security Policy:
Search in the SSL Protocols section: associated with the enabled predefined security policy: for any active Protocol-SSLv2,Protocol-SSLv3, and Protocol-TLSv1 definitions. The following document defines the SSL protocols used by AWS for the ELB predefined security policies: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html
Custom Security Policy:
Scan the SSL Protocols section:
associated with your existent custom security policy: for any active Protocol-SSLv2, Protocol-SSLv3, and Protocol-TLSv1 definitions.

Using AWS CLI

01 If a Predefined Security Policy is used

Run describe-load-balancer-policies command (OSX/Linux/UNIX) to determine if the enabled predefined policy associated with your load balancer (in this case "ELBSecurityPolicy-2014-01”) includes SSLv2 and/or SSLv3 insecure protocols:
```
aws elb describe-load-balancer-policies \
	--load-balancer-name MyWebELB \
	--policy-name ELBSecurityPolicy-2014-01
```

The command output should expose any insecure protocols used (true for active, false for inactive):

{
    "PolicyDescriptions": [
        {
            "PolicyAttributeDescriptions": [
                {
                    "AttributeName": "Reference-Security-Policy",
                    "AttributeValue": "ELBSecurityPolicy-2014-01"
                },

                {
                    "AttributeName": "Protocol-TLSv1",
                    "AttributeValue": "true"
                },
                {
                    "AttributeName": "Protocol-SSLv3",
                    "AttributeValue": "true"
                },
                {
                    "AttributeName": "Protocol-TLSv1.1",
                    "AttributeValue": "true"
                },
                {
                    "AttributeName": "Protocol-TLSv1.2",
                    "AttributeValue": "true"
                },
                ...
            ],
            "PolicyName": "ELBSecurityPolicy-2014-01",
            "PolicyTypeName": "SSLNegotiationPolicyType"
        }
    ]
}

02 If a Custom Security Policy is used

To determine if any insecure SSL protocols are enabled in your custom policy, run the following command (OSX/Linux/UNIX):
```
aws elb describe-load-balancer-policies \
	--load-balancer-name MyWebELB \
	--output table
```

The command output should expose all SSL protocols used in your custom policy (true for active, false for inactive):

||+------------------------------------------+-------------+||
|||  Protocol-TLSv1                          |  true       |||
|||  Protocol-SSLv3                          |  true       |||
|||  Protocol-TLSv1.1                        |  true       |||
|||  Protocol-TLSv1.2                        |  true       |||
|||  Server-Defined-Cipher-Order             |  true       |||
||+------------------------------------------+-------------+||}

Remediation / Resolution

To remove any insecure protocol definitions from your ELB SSL negotiation settings, you need to perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Listeners tab from the bottom panel.

06 In the Cipher column of the HTTPS listener click Change:

07 In the Select a Cipher dialog box, select one of the following options configurations:

08 Predefined Security Policy:
Select the latest predefined security policy from the list named ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01 or ELBSecurityPolicy-2016-08:

and then click Save. The selected predefined policy does NOT include the Protocol-SSLv2, Protocol-SSLv3, and Protocol-TLSv1 unsafe protocols.

09 Custom Security Policy:
Uncheck Protocol-SSLv2 and/or Protocol-SSLv3 and/or Protocol-TLSv1 from the SSL Protocols section:

found in your SSL custom policy and then click Save.

Using AWS CLI

01 If a Predefined Security Policy is used:

Run describe-load-balancer-policies command (OSX/Linux/UNIX) to list all predefined security policies currently provided by AWS ELB:

aws elb describe-load-balancer-policies \
	--query "PolicyDescriptions[?PolicyTypeName=='SSLNegotiationPolicyType']  .{PolicyName:PolicyName}" \
	--output table

The command output should return the names of the predefined policies used by ELB:

-----------------------------------------------
|        DescribeLoadBalancerPolicies         |
+---------------------------------------------+
|                 PolicyName                  |
+---------------------------------------------+
|  ELBSecurityPolicy-2016-08                  |
|  ELBSecurityPolicy-TLS-1-2-2017-01          |
|  ELBSecurityPolicy-TLS-1-1-2017-01          |
|  ELBSecurityPolicy-2015-05                  |
|  ELBSecurityPolicy-2015-03                  |
|  ELBSecurityPolicy-2015-02                  |
|  ELBSecurityPolicy-2014-10                  |
|  ELBSecurityPolicy-2014-01                  |
|  ELBSecurityPolicy-2011-08                  |
|  ELBSample-ELBDefaultNegotiationPolicy      |
|  ELBSample-OpenSSLDefaultNegotiationPolicy  |
+---------------------------------------------+

Use create-load-balancer-policy command (OSX/Linux/UNIX) to create a secure predefined policy using one of the SSL configurations listed in the previous step. We highly recommend that you use the latest predefined policy, named "ELBSecurityPolicy-2016-08".

- IMPORTANT: Avoid using ELBSecurityPolicy-2011-08 and ELBSecurityPolicy-2014-01 policies, as these contain the SSLv3 protocol which is currently rendered as insecure.
```
aws elb create-load-balancer-policy \
	--load-balancer-name MyWebELB \
	--policy-name MyELBCustomSecurityPolicy \
	--policy-type-name SSLNegotiationPolicyType \
	--policy-attributes AttributeName=Reference-Security-Policy, AttributeValue=ELBSecurityPolicy-2016-08
```

02 If a Custom Security Policy is used:

To create a custom ELB SSL security policy that contains only secure and updated protocols use create-load-balancer-policy command (OSX/Linux/UNIX):

aws elb create-load-balancer-policy \
	--load-balancer-name MyWebELB \
	--policy-name MyCustomSSLSecurityPolicy \
	--policy-type-name SSLNegotiationPolicyType \
	--policy-attributes AttributeName=Protocol-TLSv1.2,AttributeValue=true \
		AttributeName=Protocol-TLSv1.1,AttributeValue=true \
		AttributeName=ECDHE-RSA-AES128-SHA,AttributeValue=true \
		AttributeName=Server-Defined-Cipher-Order,AttributeValue=true

To expose the protocols enabled at policy creation run describe-load-balancer-policies command (OSX/Linux/UNIX):

>aws elb describe-load-balancer-policies \
	--load-balancer-name MyWebELB \
	--policy-names MyCustomSSLSecurityPolicy \
	--output table

The command output should expose all SSL protocols used by the custom policy (true for active / secure, false for inactive / insecure):

||+-----------------------------------+-------------------+||
|||  Protocol-SSLv3                   |  false            |||
|||  Protocol-TLSv1.1                 |  true             |||
|||  Protocol-TLSv1.2                 |  true             |||
|||  Server-Defined-Cipher-Order      |  true             |||
||+-----------------------------------+-------------------+||

References

AWS Command Line Interface (CLI) Documentation
elb
describe-load-balancer-policies
create-load-balancer-policy

Publication date Oct 13, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

ELB Insecure SSL Protocols

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ELB rules