ELBv2 ALB Security Policy
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using insecure and deprecated security policies for SSL negotiation configuration within your Application Load Balancers will expose the connection between the client and the load balancer to various SSL/TLS vulnerabilities. To maintain your ALBs SSL configuration secure, Cloud Conformity recommends using one of the latest predefined security policies released by Amazon Web Services: "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2016-08" or "ELBSecurityPolicy-TLS-1-1-2017-01".
Note: Custom security policies are not allowed.
To determine if your load balancers are using deprecated security policies, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.
04 Select the Application Load Balancer that you want to examine.
05 Select the Listeners tab from the bottom panel to access the load balancer listeners configuration.
06 Select the HTTPS : 443 listener and verify its security policy name available within Security policy column. If the name of the policy is different than ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-2-Ext-2018-06, ELBSecurityPolicy-FS-2018-06 or ELBSecurityPolicy-TLS-1-1-2017-01, the security policy used employs outdated protocols and ciphers, therefore the selected ALB SSL negotiation configuration is insecure and vulnerable to exploits.
07 Repeat steps no. 4 – 6 for each AWS Application Load Balancers provisioned in the current region.
08 Change the AWS region from the navigation bar and repeat the audit process for other regions.
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of all your Application Load Balancers available within the selected region:
aws elbv2 describe-load-balancers --region us-east-1 --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn | []'
02 The command output should return an array with the requested ARN(s):
[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-alb/aaaabbbbccccdddd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-alb/aaaabbbbccccdddd"
]
03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the ALB that you want to examine as identifier and custom query filters to expose the security policy used by the selected load balancer SSL negotiation configuration:
aws elbv2 describe-listeners --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-alb/aaaabbbbccccdddd --query 'Listeners[*].SslPolicy'
04 The command output should return the name of the security policy in use:
[
"ELBSecurityPolicy-TLS-1-0-2015-04"
]
05 Repeat step no. 3 and 4 for each AWS Application Load Balancers provisioned in the current region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.
To update your Application Load Balancers (ALBs) listeners configuration to use the latest predefined security policies, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.
04 Select the AWS ALB that you want to reconfigure (see Audit section part I to identify the right resource).
05 Choose the Listeners tab from the bottom panel.
06 Select the HTTPS : 443 listener, click the Actions dropdown button from the panel top menu and select Edit.
07 Inside Edit listeners dialog box, within Select Security Policy section, select one of the following policies from the Security policy dropdown list: ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-2-Ext-2018-06, ELBSecurityPolicy-FS-2018-06 or ELBSecurityPolicy-TLS-1-1-2017-01. Cloud Conformity recommends ELBSecurityPolicy-2016-08 policy for general use and ELBSecurityPolicy-TLS-1-2-Ext-2018-06, ELBSecurityPolicy-FS-2018-06, ELBSecurityPolicy-TLS-1-1-2017-01 policies to meet certain compliance and security standards. Click Save to apply the changes and return to the dashboard.
08 Repeat steps no. 4 – 7 to update the security policy for other AWS Application Load Balancers provisioned in the current region.
09 Change the AWS region from the navigation bar and repeat the entire process for other regions.
01 Run describe-listeners command (OSX/Linux/UNIX) using custom query filters to get the ARN of the HTTPS listener set for the AWS ALB that you want to reconfigure (see Audit section part II to identify the right resource):
aws elbv2 describe-listeners --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-alb/aaaabbbbccccdddd --query 'Listeners[?(Protocol == `HTTPS`)].ListenerArn | []'
02 The command output should return the requested listener ARN:
[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-alb/aaaabbbbccccdddd/1234aaaa1234bbbb"
]
03 Run modify-listener command (OSX/Linux/UNIX) using the ARN of the HTTPS listener that you want to reconfigure as identifier to update its predefined security policy (in this case update it to ELBSecurityPolicy-2016-08):
aws elbv2 modify-listener --region us-east-1 --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-alb/aaaabbbbccccdddd/1234aaaa1234bbbb --ssl-policy ELBSecurityPolicy-2016-08
04 The command output should return the modified listener metadata:
{
"Listeners": [
{
"Protocol": "HTTPS",
"DefaultActions": [
{
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/alb-target-group/1234aaaa1234bbbb",
"Type": "forward"
}
],
"SslPolicy": "ELBSecurityPolicy-2016-08",
"Certificates": [
{
"CertificateArn": "arn:aws:iam::123456789012:server-certificate/FrontendSSLCertificate"
}
],
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-alb/aaaabbbbccccdddd",
"Port": 443,
"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-alb/aaaabbbbccccdddd/1234aaaa1234bbbb"
}
]
}
05 Repeat steps no. 1 – 4 to update the security policy for other AWS Application Load Balancers provisioned in the current region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat