ELB - Recommended SSL/TLS protocol version

Using insecure ciphers for your ELB Predefined or Custom Security Policy, could make the SSL connection between the client and the load balancer vulnerable to exploits. TLS 1.0 was recommended to be disabled by PCI Council after June 30, 2016

Risk Level: High
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.AWS.CRY.07
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

ELB should not have elbListeners with [ policies contain [ attributes contain-any [$ in ('Protocol-SSLv3', 'Protocol-TLSv1') ] ] ]

REMEDIATION

From Portal

  1. Login to the AWS Management Console.
  2. Navigate to EC2 dashboard.
  3. In the navigation panel, under Load balancing, click Load Balancers.
  4. Select your Elastic Load Balancer.
  5. Select the Listeners tab from the bottom panel. In the Cipher column of the HTTPS listener, click Change.
  6. Scan the SSL Ciphers section for any insecure / deprecated cipher definitions.

Follow this link to see a list of all the insecure ciphers that require to be removed: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html

From TF

resource "aws_elb" "example" {
	name               = "example"
}

resource "aws_lb_ssl_negotiation_policy" "test" {
	name          = "test-policy"
	load_balancer = aws_elb.lb.id
	lb_port       = 443
	
	attribute {
		name  = "..." # Weak protocol "Protocol-SSLv2"  "Protocol-SSLv3", "Protocol-TLSv1", "Protocol-TLSv1.1"
		- value = "true"
		+ value = "false"
	}
}

From Command Line
Following command will create an SSL negotiation policy for the specified HTTPS load balancer using the recommended security policy.

aws elb create-load-balancer-policy --load-balancer-name my-load-balancer --policy-name my-SSLNegotiation-policy --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2015-03

Following command will create an SSL negotiation policy for your HTTPS load balancer using a custom security policy by enabling the protocols and the ciphers.

aws elb create-load-balancer-policy --load-balancer-name my-load-balancer --policy-name my-SSLNegotiation-policy --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Protocol-SSLv3,AttributeValue=true AttributeName=Protocol-TLSv1.1,AttributeValue=true AttributeName=DHE-RSA-AES256-SHA256,AttributeValue=true AttributeName=Server-Defined-Cipher-Order,AttributeValue=true

References

  1. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_ssl_negotiation_policy
  3. https://docs.aws.amazon.com/cli/latest/reference/elb/create-load-balancer-policy.html
  4. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html

Elastic Load Balancing (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset