Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ELB Security Policy

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ELB-004

Ensure that your Amazon Classic Load Balancers are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against TLS/SSL vulnerabilities.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using insecure and deprecated policies for the SSL negotiation configuration set for your Amazon Classic Load Balancers will expose the connection between the clients and the load balancer to various TLS/SSL vulnerabilities. To maintain your load balancer SSL configuration secure, Trend Cloud One™ – Conformity recommends using one of the latest predefined security policies released by AWS, i.e.:

Audit

To determine if your Classic Load Balancers are using deprecated security policies, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Amazon Classic Load Balancer that you want to examine.

06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

07 Choose the HTTPS listener (i.e. the one with the Instance Protocol set to HTTPS) and click on the Change link available in the Cipher column to access SSL negotiation settings available for the selected listener.

08 In the Select a Cipher configuration box, identify which security policy is currently in use:

  1. If the Predefined Security Policy option is selected and the name of the policy is different than ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-1-2017-01, or ELBSecurityPolicy-TLS-1-2-2017-01, the security policy used by the load balancer employs outdated protocols and ciphers, therefore the negotiation configuration of the selected Amazon Classic Load Balancer is insecure and vulnerable to exploits.
  2. If the Custom Security Policy option is selected, it's likely that the custom policy is outdated and this makes the SSL negotiation configuration vulnerable to exploits. AWS predefined security policies are always preferred over custom security policies.

09 Repeat steps no. 5 – 8 for each Classic Load Balancer provisioned within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region: 

aws elb describe-load-balancers
  --region us-east-1
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

02 The command output should return an array with the requested load balancer name(s): 

[
    "cc-frontend-load-balancer",
    "cc-project5-load-balancer"
]

03 Run describe-load-balancer-policies command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the name of the security policy associated with the selected load balancer: 

aws elb describe-load-balancer-policies
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --query 'PolicyDescriptions[*].PolicyName'

04 The command output should return the name of the associated security policy: 

[
    "AWSConsole-SSLNegotiationPolicy-cc-frontend-load-balancer-1654704251533"
]

05 Run describe-load-balancer-policies command (OSX/Linux/UNIX) using the name of the security policy returned at the previous step as the identifier parameter and custom query filters to describe the security policy used by the SSL negotiation configuration set for the load balancer HTTPS listener: 

aws elb describe-load-balancer-policies
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --policy-name "AWSConsole-SSLNegotiationPolicy-cc-frontend-load-balancer-1654704251533"
  --query 'PolicyDescriptions[*].PolicyAttributeDescriptions[?(AttributeName == `Reference-Security-Policy`)].AttributeValue | []'

06 The command output should return the name of the requested security policy: 

[
    "ELBSecurityPolicy-2015-05"
]

If the name of the policy returned by the describe-load-balancer-policies command output is different than ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-1-2017-01, or ELBSecurityPolicy-TLS-1-2-2017-01, the security policy used by the load balancer employs outdated protocols and ciphers, therefore the negotiation configuration of the selected Amazon Classic Load Balancer is insecure and vulnerable to exploits.

07 Repeat steps no. 3 – 6 for each Classic Load Balancer provisioned in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update the HTTPS listener configuration of your Amazon Classic Load Balancers in order to use the latest predefined security policy, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Use the Latest Predefined Security Policy for Load Balancer HTTPS Listener",
	"Resources": {
		"ClassicLoadBalancer": {
			"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
			"Properties" : {
				"LoadBalancerName" : "cc-frontend-load-balancer",
				"Scheme" : "internet-facing",
				"SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
				"Subnets" : [ "subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234" ],
				"Instances" : [ "i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd" ],
				"Listeners": [{
					"InstancePort": "80",
					"InstanceProtocol": "HTTP",
					"LoadBalancerPort": "443",
					"Protocol": "HTTPS",
					"PolicyNames": [ "cc-secure-negotiation-policy" ],
					"SSLCertificateId": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
				}],
				"HealthCheck": {
					"Target": "HTTP:80/index.html",
					"HealthyThreshold": "10",
					"UnhealthyThreshold": "2",
					"Interval": "50",
					"Timeout": "5"
				},
				"Policies": [{
					"PolicyName": "cc-secure-negotiation-policy",
					"PolicyType": "SSLNegotiationPolicyType",
					"Attributes": [{
						"Name": "Reference-Security-Policy",
						"Value": "ELBSecurityPolicy-TLS13-1-2-2021-06"
					}]
				}]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
    Description: Use the Latest Predefined Security Policy for Load Balancer HTTPS Listener
    Resources:
        ClassicLoadBalancer:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
            LoadBalancerName: cc-frontend-load-balancer
            Scheme: internet-facing
            SecurityGroups:
            - sg-0abcdabcdabcdabcd
            Subnets:
            - subnet-0abcd1234abcd1234
            - subnet-0abcdabcdabcdabcd
            - subnet-01234abcd1234abcd
            - subnet-01234123412341234
            Instances:
            - i-0abcd1234abcd1234
            - i-0abcdabcdabcdabcd
            Listeners:
            - InstancePort: '80'
                InstanceProtocol: HTTP
                LoadBalancerPort: '443'
                Protocol: HTTPS
                PolicyNames:
                - cc-secure-negotiation-policy
                SSLCertificateId: arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234
            HealthCheck:
            Target: HTTP:80/index.html
            HealthyThreshold: '10'
            UnhealthyThreshold: '2'
            Interval: '50'
            Timeout: '5'
            Policies:
            - PolicyName: cc-secure-negotiation-policy
                PolicyType: SSLNegotiationPolicyType
                Attributes:
                - Name: Reference-Security-Policy
                    Value: ELBSecurityPolicy-TLS13-1-2-2021-06

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_elb" "classic-load-balancer" {
	name               = "cc-frontend-load-balancer"
	internal           = false
	security_groups    = ["sg-0abcdabcdabcdabcd"]
	subnets            = ["subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234"]
	instances          = ["i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd"]

	health_check {
		healthy_threshold   = 10
		unhealthy_threshold = 2
		timeout             = 5
		target              = "HTTP:80/index.html"
		interval            = 50
	}

	listener {
		instance_port      = 80
		instance_protocol  = "http"
		lb_port            = 443
		lb_protocol        = "https"
		ssl_certificate_id = "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
	}

}

resource "aws_load_balancer_policy" "cc-ssl-negotiation-policy" {
	load_balancer_name = aws_elb.classic-load-balancer.name
	policy_name        = "cc-secure-negotiation-policy"
	policy_type_name   = "SSLNegotiationPolicyType"

	policy_attribute {

		# Use the Latest Predefined Security Policy for Load Balancer HTTPS Listener
		name  = "Reference-Security-Policy"
		value = "ELBSecurityPolicy-TLS13-1-2-2021-06"

	}
}

resource "aws_load_balancer_listener_policy" "cc-https-listener-policy" {
	load_balancer_name = aws_elb.classic-load-balancer.name
	load_balancer_port = 443

	policy_names = [
		aws_load_balancer_policy.cc-ssl-negotiation-policy.policy_name
	]
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Amazon Classic Load Balancer that you want to reconfigure.

06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

07 Choose the HTTPS listener (i.e. the one with the Instance Protocol set to HTTPS) and click on the Change link available in the Cipher column to access SSL negotiation settings available for the selected listener.

08 In the Select a Cipher configuration box, select the Predefined Security Policy option, choose one of the following predefined policies from the policy dropdown list: ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-1-2017-01, or ELBSecurityPolicy-TLS-1-2-2017-01, depending on your use case. Choose Save to apply the changes.

09 Repeat steps no. 5 – 8 for each Classic Load Balancer that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-load-balancer-policy command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to reconfigure as the identifier parameter, to create a new policy for the selected load balancer listener. The new policy is configured with one of the latest predefined security policies named ELBSecurityPolicy-TLS-1-2-2017-01 (the command does not produce an output): 

aws elb create-load-balancer-policy
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --policy-name cc-secure-negotiation-policy
  --policy-type-name SSLNegotiationPolicyType
  --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-TLS-1-2-2017-01

02 Run set-load-balancer-policies-of-listener command (OSX/Linux/UNIX) to associate the new policy created at the previous step with the HTTPS listener of the load balancer that you want to reconfigure (the command does not produce an output): 

aws elb set-load-balancer-policies-of-listener
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --load-balancer-port 443
  --policy-names cc-secure-negotiation-policy

03 Repeat steps no. 1 and 2 for each Classic Load Balancer that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 29, 2016

Related ELB rules