Ensure to update the Security Policy of the Network Load Balancer
Elastic Load Balancing uses a TLS negotiation configuration, known as a security policy, to negotiate TLS connections between a client and the load balancer. The ELBSecurityPolicy-2016-08 security policy is always used for backend connections. Network Load Balancers do not support custom security policies. When you create a TLS listener, you can select the security policy that meets your needs. When a new security policy is added, you can update your TLS listener to use the new security policy.
Risk Level: High
Cloud Entity: Network Load Balancer
CloudGuard Rule ID: D9.AWS.CRY.38
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
NetworkLoadBalancer should have listeners contain [securityPolicy in('ELBSecurityPolicy-2016-08', 'ELBSecurityPolicy-FS-2018-06', 'ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06', 'ELBSecurityPolicy-TLS13-1-2-2021-06') ]
REMEDIATION
From Portal
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
- On the navigation pane, under LOAD BALANCING, choose Load Balancers
- Select the load balancer and go to 'Listeners'.
- Select the check box for the TLS listener and choose Actions and 'Edit listener'.
- Go to 'Security policy' under 'Secure listener settings'.
- Choose a recommended security policy from the dropdown list.
- Click on 'Save changes'.
From TF
resource "aws_lb_listener" "test" {
load_balancer_arn = aws_lb.test.arn
port = "443"
protocol = "[HTTPS, TLS]"
+ ssl_policy = "..." # Secure policies: "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06", "ELBSecurityPolicy-TLS13-1-2-2021-06"
certificate_arn = "Certificate_ARN"
default_action {...}
}
From Command Line
aws elbv2 modify-listener --listener-arn ARN_VALUE --ssl-policy RECOMMENDED_POLICY_NAME
References
- https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html
- https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html
Network Load Balancer
A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago