Logo of Trend Micro

ELB Security Policy

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ELB-004

Ensure that your Elastic Load Balancers are using the latest AWS predefined security policies, ELBSecurityPolicy-2016-08 or ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01, for their SSL negotiation configuration.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using insecure and deprecated security policies for your ELBs SSL negotiation configuration will expose the connection between the client and the load balancer to SSL/TLS vulnerabilities such as Logjam Attack, which is a weaknesses in how the Diffie-Hellman key exchange (DHE) has been deployed and FREAK Attack, which allows an attacker to intercept HTTPS connections between vulnerable clients and servers / load balancers in order to break in and steal or manipulate sensitive data. To maintain your ELBs SSL configuration secure, Cloud Conformity recommends using the latest Predefined Security Policies released by AWS: ELBSecurityPolicy-2016-08 or ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01 .

Audit

To determine if your load balancers are using deprecated security policies, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the Elastic Load Balancer that you want to examine.

05 Select the Listeners tab from the bottom panel.

06 In the Cipher column of the HTTPS/SSL listener click Change:

In the Cipher column of the HTTPS/SSL listener click Change

07 In the Select a Cipher dialog box, identify which security policy is in use:

  1. If the Predefined Security Policy is selected and the policy currently used: If the Predefined Security Policy is selected and the policy currently used is not the latest one available (ELBSecurityPolicy-2016-08 or ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01), the listener SSL negotiation configuration is insecure and vulnerable to exploits.
  2. If the Custom Security Policy is selected, it is likely that the policy is not updated which makes the SSL negotiation configuration insecure and vulnerable to exploits. AWS predefined security policies are always preferred over custom security policies.

08 Repeat steps no. 4 – 7 for each load balancer available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-load-balancer-policies command (OSX/Linux/UNIX) to determine which security policy is currently associated with the selected Elastic Load Balancer: 

aws elb describe-load-balancer-policies
	--region us-east-1
	--load-balancer-name MyWebELB
	--query 'PolicyDescriptions[*].PolicyName'

02 The command output should return the name of the security policy in use: 

[
    "AWSConsole-SSLNegotiationPolicy-MyWebELB-1461864058120"
]

03 Run again describe-load-balancer-policies command (OSX/Linux/UNIX) using the name of the policy returned earlier to list the policy metadata: 

aws elb describe-load-balancer-policies
	--region us-east-1
	--load-balancer-name MyWebELB
	--policy-name AWSConsole-SSLNegotiationPolicy-MyWebELB-1461864058120

04 The command output should return an object with the policy metadata. To determine the security policy used (predefined or custom) and its name, search for the AttributeName parameter called Reference-Security-Policy and its correspondent AttributeValue value (highlighted): 

{
    "PolicyDescriptions": [
        {
            "PolicyAttributeDescriptions": [
                {
                    "AttributeName": "Reference-Security-Policy",
                    "AttributeValue": "ELBSecurityPolicy-2014-10"
                },
                {
                    "AttributeName": "Protocol-TLSv1",
                    "AttributeValue": "true"
                },
                {
                    "AttributeName": "Protocol-SSLv3",
                    "AttributeValue": "false"
                },
                ...
                {
                    "AttributeName": "EXP-KRB5-RC4-SHA",
                    "AttributeValue": "false"
                },
                {
                    "AttributeName": "EXP-KRB5-RC4-MD5",
                    "AttributeValue": "false"
                }
            ],
            "PolicyName": "AWSConsole-SSLNegotiationPolicy-MyWebELB",
            "PolicyTypeName": "SSLNegotiationPolicyType"
        }
    ]
}

If the AttributeValue value is different than ELBSecurityPolicy-2016-08 and/or ELBSecurityPolicy-TLS-1-2-2017-01 and/or ELBSecurityPolicy-TLS-1-1-2017-01 (latest Predefined Security Policies), the listener SSL negotiation configuration is insecure.

05 Repeat steps no. 1 – 4 for each load balancer available in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Remediation / Resolution

To update your Elastic Load Balancer SSL negotiation configuration to use the latest AWS Predefined Security Policies, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the Elastic Load Balancer that you want to examine.

05 Select the Listeners tab from the bottom panel.

06 In the Cipher column of the HTTPS/SSL listener click Change:

In the Cipher column of the HTTPS/SSL listener click Change

07 In the Select a Cipher dialog box, check Predefined Security Policy checkbox and select the first policy available in the dropdown list, named ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01 or ELBSecurityPolicy-2016-08.

08 Click Save to apply the changes.

09 Repeat steps no. 4 – 8 for each load balancer with HTTPS/SSL listeners available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run set-load-balancer-policies-of-listener command (OSX/Linux/UNIX) to update the listener SSL configuration for the selected Elastic Load Balancer. The following command example updates the HTTPS/SSL listener policy for an ELB called MyWebELB with the latest predefined policy released, named ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01 or ELBSecurityPolicy-2016-08 (the command does not return any output): 

aws elb set-load-balancer-policies-of-listener
	--region us-east-1
	--load-balancer-name MyWebELB
	--load-balancer-port 443
	--policy-names ELBSecurityPolicy-2016-08

02 Repeat step no. 2 for each load balancer with HTTPS/SSL listeners available in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

References

Publication date Apr 29, 2016

Related ELB rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

ELB Security Policy

Risk level: Medium