Risk Level: High
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.AWS.CRY.07
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

ELB should not have elbListeners with [ policies contain [ attributes contain-any [$ in ('Protocol-SSLv3', 'Protocol-TLSv1') ] ] ]

REMEDIATION

From Portal

Login to the AWS Management Console.
Navigate to EC2 dashboard.
In the navigation panel, under Load balancing, click Load Balancers.
Select your Elastic Load Balancer.
Select the Listeners tab from the bottom panel. In the Cipher column of the HTTPS listener, click Change.
Scan the SSL Ciphers section for any insecure / deprecated cipher definitions.

Follow this link to see a list of all the insecure ciphers that require to be removed: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html

From TF

resource "aws_elb" "example" {
	name               = "example"
}

resource "aws_lb_ssl_negotiation_policy" "test" {
	name          = "test-policy"
	load_balancer = aws_elb.lb.id
	lb_port       = 443
	
	attribute {
		name  = "..." // Weak protocol "Protocol-SSLv2"  "Protocol-SSLv3", "Protocol-TLSv1", "Protocol-TLSv1.1"
		- value = "true"
		+ value = "false"
	}
}

From Command Line
Following command will create an SSL negotiation policy for the specified HTTPS load balancer using the recommended security policy.

aws elb create-load-balancer-policy --load-balancer-name my-load-balancer --policy-name my-SSLNegotiation-policy --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2015-03

Following command will create an SSL negotiation policy for your HTTPS load balancer using a custom security policy by enabling the protocols and the ciphers.

aws elb create-load-balancer-policy --load-balancer-name my-load-balancer --policy-name my-SSLNegotiation-policy --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Protocol-SSLv3,AttributeValue=true AttributeName=Protocol-TLSv1.1,AttributeValue=true AttributeName=DHE-RSA-AES256-SHA256,AttributeValue=true AttributeName=Server-Defined-Cipher-Order,AttributeValue=true

References

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_ssl_negotiation_policy
https://docs.aws.amazon.com/cli/latest/reference/elb/create-load-balancer-policy.html
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html

Elastic Load Balancing (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Compliance Frameworks

AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard CheckUp
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HIPAA
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset