Enforce TLS for App Mesh Virtual Gateways

Risk Level: High (not acceptable risk)

Ensure that Transport Layer Security (TLS) is enabled for all your Amazon App Mesh virtual gateways. An App Mesh virtual gateway allows resources that are outside of your mesh to communicate to resources that are inside of your mesh. The virtual gateway represents an Envoy proxy running within an Amazon ECS service, in a Kubernetes service, or on an Amazon EC2 instance.

Security

The Transport Layer Security (TLS) protocol addresses network security issues such as tampering and eavesdropping between a client and a server. In Amazon App Mesh, TLS encrypts communication between the Envoy proxies deployed on compute resources that are represented in App Mesh by mesh endpoints, such as virtual gateways and virtual nodes. The proxy negotiates and terminates TLS. When the Envoy proxy is deployed with an application, your application code is not responsible for negotiating a TLS session, instead the proxy negotiates TLS on your application's behalf.

Audit

To determine if your Amazon App Mesh virtual gateways are configured to enforce TLS by default, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon App Mesh console at https://console.aws.amazon.com/appmesh/.

03 In the navigation panel, under AWS App Mesh, choose Meshes.

04 Click on the name of the service mesh that you want to access, available in the Mesh name column.

05 In the left navigation panel, under the name of the selected service mesh, choose Virtual gateways.

06 Click on the name (link) of the App Mesh virtual gateway that you want to examine.

07 Select the Details tab and check the Enforcing TLS by default attribute value. If Enforcing TLS by default is set to False, the selected Amazon App Mesh virtual gateway is not configured to enforce Transport Layer Security (TLS) for the communication with the virtual services.

08 Repeat steps no. 6 and 7 for each App Mesh virtual gateway created for the selected service mesh.

09 Repeat steps no. 4 – 8 for each App Mesh service mesh available within the current AWS region

10 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run the list-meshes command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon App Mesh service meshes deployed in the selected AWS cloud region:

aws appmesh list-meshes
  --region us-east-1
  --query 'meshes[*].meshName'

02 The command output should return an array with the requested mesh name(s):

[
  "cc-production-app-mesh",
  "cc-docker-web-app-mesh",
  "cc-development-app-mesh"
]

03 Run the list-virtual-gateways command (OSX/Linux/UNIX) using the name of the App Mesh service mesh that you want to examine as the identifier parameter and custom query filters to describe the name of each virtual gateway created for the selected service mesh:

aws appmesh list-virtual-gateways
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --query 'virtualGateways[*].virtualGatewayName'

04 The command output should return an array with the requested virtual gateway name(s):

[
  "cc-prod-mesh-virtual-gateway",
  "cc-test-mesh-virtual-gateway"
]

05 Run the describe-virtual-gateway command (OSX/Linux/UNIX) to describe the implementation status of the Transport Layer Security (TLS) client policy for the selected service mesh virtual gateway:

aws appmesh describe-virtual-gateway
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --virtual-gateway-name cc-prod-mesh-virtual-gateway
  --query 'virtualGateway.spec.backendDefaults.clientPolicy.tls.enforce'

06 The command output should return the requested implementation status:

false

If the describe-virtual-gateway command output returns null or false, as shown in the example above, the selected Amazon App Mesh virtual gateway is not configured to enforce Transport Layer Security (TLS) for the communication with the virtual services.

07 Repeat steps no. 5 and 6 for each App Mesh virtual gateway created for the selected service mesh.

08 Repeat steps no. 3 – 7 for each App Mesh service mesh available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To configure your Amazon App Mesh virtual gateways to communicate with virtual services using Transport Layer Security (TLS) only, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon App Mesh console at https://console.aws.amazon.com/appmesh/.

03 In the navigation panel, under AWS App Mesh, choose Meshes.

04 Click on the name of the service mesh that you want to access, available in the Mesh name column.

05 In the left navigation panel, under the name of the selected service mesh, choose Virtual gateways.

06 Click on the name (link) of the App Mesh virtual gateway that you want to reconfigure.

07 Click on the Edit button from the console top menu to update the selected virtual gateway configuration.

08 In the Virtual gateway configuration section, expand the Client policy defaults panel, and perform the following operations:

Choose Enforced from the Enforce TLS dropdown list to enable the use of the Transport Layer Security (TLS) for the communication with the virtual services.
For Ports, specify which upstream ports to enforce TLS on. Use Add port to add as many ports as needed.
Under TLS Validation, for Validation method, select one of the following options (the certificate that you specify must already exist and meet specific requirements):
- Choose AWS Certificate Manager Private Certificate Authority (ACM-PCA) hosting and select the ARN of the existing Certificate Authority from the Certificate dropdown list.
- Choose Local file hosting and specify the path to the certificate chain file on the file system where the Envoy proxy is deployed.
Choose Save to apply the changes.

09 Repeat steps no. 6 – 8 for each App Mesh virtual gateway that you want to reconfigure, available for the selected service mesh.

10 Repeat steps no. 4 – 9 for each App Mesh service mesh available within the current AWS region

11 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-virtual-gateway command (OSX/Linux/UNIX) using the name of the Amazon App Mesh virtual gateway that you want to examine as the identifier parameter and custom query filters to describe the configuration specifications available for the selected virtual gateway:

aws appmesh describe-virtual-gateway
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --virtual-gateway-name cc-prod-mesh-virtual-gateway
  --query 'virtualGateway.spec'

02 The command output should return the requested virtual gateway specifications:

{
  "backendDefaults": {
    "clientPolicy": {}
  },
  "listeners": [
    {
      "portMapping": {
        "port": 80,
        "protocol": "http"
      }
    }
  ],
  "logging": {}
}

03 Modify the virtual gateway specifications returned at the previous step to include the Transport Layer Security (TLS) client policy that you want to apply to the specified virtual gateway (highlighted). This overwrites the existing data. The following client policy enforces TLS on all supported upstream ports and uses an AWS Certificate Manager Private Certificate Authority (ACM-PCA) identified by the ARN "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcdabcd-1234-abcd-1234-abcd1234abcd" as validation method. Save the following document to a JSON file named virtual-gateway-tls-specs.json:

{
  "backendDefaults": {
    "clientPolicy": {
      "tls": {
        "enforce": true,
        "ports": [],
        "validation": {
          "trust": {
            "acm": {
              "certificateAuthorityArns": [
                "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcdabcd-1234-abcd-1234-abcd1234abcd"
              ]
            }
          }
        }
      }
    }
  },
  "listeners": [
    {
      "portMapping": {
        "port": 80,
        "protocol": "http"
      }
    }
  ],
  "logging": {}
}

04 Run update-virtual-gateway command (OSX/Linux/UNIX) to enforce TLS for the specified Amazon App Mesh virtual gateway, using the configuration specifications defined at the previous step (i.e. virtual-gateway-tls-specs.json):

aws appmesh update-virtual-gateway
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --virtual-gateway-name cc-prod-mesh-virtual-gateway
  --spec file://virtual-gateway-tls-specs.json

05 The command output should return the metadata available for the reconfigured virtual gateway:

{
  "virtualGateway": {
    "meshName": "cc-production-app-mesh",
    "metadata": {
      "arn": "arn:aws:appmesh:us-east-1:123456789012:mesh/cc-production-app-mesh/virtualGateway/cc-prod-mesh-virtual-gateway",
      "createdAt": "2021-01-28T12:00:00.516000+00:00",
      "lastUpdatedAt": "2021-01-28T17:00:00.079000+00:00",
      "meshOwner": "123456789012",
      "resourceOwner": "123456789012",
      "uid": "1234abcd-1234-abcd-1234-abcd1234abcd",
      "version": 2
    },
    "spec": {
      "backendDefaults": {
        "clientPolicy": {
          "tls": {
            "enforce": true,
            "ports": [],
            "validation": {
              "trust": {
                "acm": {
                  "certificateAuthorityArns": [
                    "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcdabcd-1234-abcd-1234-abcd1234abcd"
                  ]
                }
              }
            }
          }
        }
      },
      "listeners": [
        {
          "portMapping": {
            "port": 80,
            "protocol": "http"
          }
        }
      ],
      "logging": {}
    },
    "status": {
      "status": "ACTIVE"
    },
    "virtualGatewayName": "cc-prod-mesh-virtual-gateway"
  }
}

06 Repeat steps no. 1 – 5 for each App Mesh virtual gateway that you want to reconfigure, created for the specified service mesh.

07 Repeat steps no. 1 – 6 for each App Mesh service mesh available in the selected AWS region

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
appmesh
list-meshes
list-virtual-gateways
describe-virtual-gateway
update-virtual-gateway

Publication date Feb 6, 2021

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related AppMesh rules