Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Web-Tier ELB Security Policy

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ELB-015

Ensure that your web-tier Classic Load Balancer listeners are using the latest security policy for the SSL negotiation configuration. A security policy is a combination of SSL/TLS protocols and ciphers used by your load balancers to negotiate SSL/TLS connections between application clients and the load balancers. This conformity rule assumes that all the AWS cloud resources created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the web-tier tags must be configured in the rule settings, on your Conformity account console. The latest ELB security policies are:

  • ELBSecurityPolicy-TLS-1-2-2017-01

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When your web-tier Classic Load Balancers are using the latest, newest security policy, the SSL/TLS connection is negotiated using only the appropriate cryptographic protocols deemed safe with no proven vulnerabilities. This will secure the connection between the application clients and the load balancer, and protect against security exploits such as Logjam and FREAK, that may allow attackers to decrypt secure communications between vulnerable clients and your load balancer.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the app tier.

Audit

To determine if your web-tier Classic Load Balancers are using the latest security policy, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Enable Latest Security Policy for Web-Tier Load Balancers conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

04 In the main navigation panel, under Load Balancing, choose Load Balancers.

05 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

06 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>), then press Enter. This filtering technique will return only the load balancers tagged for the web tier. If no results are returned by the console, there are no Classic Load Balancers tagged within your web tier and the Audit process ends here. If the Amazon EC2 console returns one or more load balancers, continue the Audit with the next step.

07 Select the Classic Load Balancer that you want to examine.

08 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

09 Choose the HTTPS listener (i.e. the one with the Instance Protocol set to HTTPS) and click on the Change link available in the Cipher column to access SSL negotiation settings available for the selected listener.

10 In the Select a Cipher configuration box, identify which security policy is currently in use:

  1. If thePredefined Security Policy option is selected and the security policy in use is not the latest one available (the latest security policy released by AWS can be identified by the date appended to the policy name or by using this URL), the SSL negotiation configuration of the selected web-tier Classic Load Balancer is insecure and vulnerable to exploits.
  2. If the Custom Security Policy option is selected, it's likely that the custom policy is outdated and this makes the SSL negotiation configuration vulnerable to exploits. AWS predefined security policies are always preferred over custom security policies as the ones released by Amazon use the newest and the most secure SSL protocols and ciphers.

11 Repeat steps no. 7 – 10 for each web-tier Classic Load Balancer provisioned within the current AWS region.

12 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Enable Latest Security Policy for Web-Tier Load Balancers conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region: 

aws elb describe-load-balancers
  --region us-east-1
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return an array with the requested load balancer name(s): 

[
    "cc-frontend-load-balancer",
    "cc-project5-load-balancer"
]

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the tag sets defined for the selected load balancer: 

aws elb describe-tags
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --query 'TagDescriptions[*].Tags[]'

05 The describe-tags command request should return one of the following outputs:

  1. If the command output returns an empty array (i.e. []), as shown in the example below, the verified Classic Load Balancer is not tagged at all, therefore the Audit process for the selected resource ends here: 
    []
  2. If the describe-tags command output returns a tag set that is different from the one defined for your web/app/data tier, as shown in the example below, the verified load balancer is not a component of the web/app/data tier, therefore the Audit process for the selected resource ends here: 
    [
    {
        "Value": "Type",
        "Key": "Front-Facing"
    }
]
  3. If the tag set returned by the describe-tags command output reveals that the selected load balancer is a component of a web tier, as shown in the example below, the Audit process continues with the next step: 
    [
    {
        "Key": "<web_tier_tag>",
        "Value": "<web_tier_tag_value>"
    }
]

06 Run describe-load-balancer-policies command (OSX/Linux/UNIX) using the name of the web-tier load balancer that you want to examine as the identifier parameter and custom query filters to describe the name of the security policy associated with the selected load balancer: 

aws elb describe-load-balancer-policies
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --query 'PolicyDescriptions[*].PolicyName'

07 The command output should return the name of the associated security policy: 

[
    "AWSConsole-SSLNegotiationPolicy-cc-frontend-load-balancer-1654704251533"
]

08 Run describe-load-balancer-policies command (OSX/Linux/UNIX) using the name of the security policy returned at the previous step as the identifier parameter and custom query filters to describe the security policy used by the SSL negotiation configuration set for the load balancer HTTPS listener: 

aws elb describe-load-balancer-policies
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --policy-name "AWSConsole-SSLNegotiationPolicy-cc-frontend-load-balancer-1654704251533"
  --query 'PolicyDescriptions[*].PolicyAttributeDescriptions[?(AttributeName == `Reference-Security-Policy`)].AttributeValue | []'

09 The command output should return the name of the requested security policy: 

[
    "ELBSecurityPolicy-2015-05"
]

If the name of the policy returned by the describe-load-balancer-policies command output is different than the name of the latest security policy available (the latest policy released by AWS can be identified by the date added to the policy name or by using this URL), the SSL negotiation configuration of the selected web-tier Classic Load Balancer is insecure and vulnerable to exploits.

10 Repeat steps no. 6 – 9 for each web-tier Classic Load Balancer provisioned in the selected AWS region.

11 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update the HTTPS listener configuration of your web-tier Classic Load Balancers in order to use the latest predefined security policy, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Use the Latest Predefined Security Policy for Web-Tier Load Balancer HTTPS Listener",
    "Resources": {
        "ClassicLoadBalancer": {
            "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
            "Properties" : {
                "LoadBalancerName" : "cc-frontend-load-balancer",
                "Scheme" : "internet-facing",
                "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
                "Subnets" : [ "subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234" ],
                "Instances" : [ "i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd" ],
                "Listeners": [{
                    "InstancePort": "80",
                    "InstanceProtocol": "HTTP",
                    "LoadBalancerPort": "443",
                    "Protocol": "HTTPS",
                    "PolicyNames": [ "cc-secure-negotiation-policy" ],
                    "SSLCertificateId": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
                }],
                "HealthCheck": {
                    "Target": "HTTP:80/index.html",
                    "HealthyThreshold": "10",
                    "UnhealthyThreshold": "2",
                    "Interval": "50",
                    "Timeout": "5"
                },
                "Policies": [{
                    "PolicyName": "cc-secure-negotiation-policy",
                    "PolicyType": "SSLNegotiationPolicyType",
                    "Attributes": [{
                        "Name": "Reference-Security-Policy",
                        "Value": "ELBSecurityPolicy-TLS13-1-2-2021-06"
                    }]
                }],
                "Tags" : [{
                    "Key" : "<web_tier_tag>",
                    "Value" : "<web_tier_tag_value>"
                }]
            }
        }
    }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
    Description: Use the Latest Predefined Security Policy for Web-Tier Load Balancer
        HTTPS Listener
    Resources:
        ClassicLoadBalancer:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
            LoadBalancerName: cc-frontend-load-balancer
            Scheme: internet-facing
            SecurityGroups:
            - sg-0abcdabcdabcdabcd
            Subnets:
            - subnet-0abcd1234abcd1234
            - subnet-0abcdabcdabcdabcd
            - subnet-01234abcd1234abcd
            - subnet-01234123412341234
            Instances:
            - i-0abcd1234abcd1234
            - i-0abcdabcdabcdabcd
            Listeners:
            - InstancePort: '80'
                InstanceProtocol: HTTP
                LoadBalancerPort: '443'
                Protocol: HTTPS
                PolicyNames:
                - cc-secure-negotiation-policy
                SSLCertificateId: arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234
            HealthCheck:
            Target: HTTP:80/index.html
            HealthyThreshold: '10'
            UnhealthyThreshold: '2'
            Interval: '50'
            Timeout: '5'
            Policies:
            - PolicyName: cc-secure-negotiation-policy
                PolicyType: SSLNegotiationPolicyType
                Attributes:
                - Name: Reference-Security-Policy
                    Value: ELBSecurityPolicy-TLS13-1-2-2021-06
            Tags:
            - Key: <web_tier_tag>
                Value: <web_tier_tag_value>

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 4.0"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    region  = "us-east-1"
}

resource "aws_elb" "classic-load-balancer" {
    name               = "cc-frontend-load-balancer"
    internal           = false
    security_groups    = ["sg-0abcdabcdabcdabcd"]
    subnets            = ["subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234"]
    instances          = ["i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd"]

    health_check {
        healthy_threshold   = 10
        unhealthy_threshold = 2
        timeout             = 5
        target              = "HTTP:80/index.html"
        interval            = 50
    }

    listener {
        instance_port      = 80
        instance_protocol  = "http"
        lb_port            = 443
        lb_protocol        = "https"
        ssl_certificate_id = "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
    }

    tags = {
        Name = "<web_tier_tag>"
        Value = "<web_tier_tag_value>"
    }

}

resource "aws_load_balancer_policy" "cc-ssl-negotiation-policy" {
    load_balancer_name = aws_elb.classic-load-balancer.name
    policy_name        = "cc-secure-negotiation-policy"
    policy_type_name   = "SSLNegotiationPolicyType"

    policy_attribute {

        # Use the Latest Predefined Security Policy for Web-Tier Load Balancer HTTPS Listener
        name  = "Reference-Security-Policy"
        value = "ELBSecurityPolicy-TLS13-1-2-2021-06"

    }
}

resource "aws_load_balancer_listener_policy" "cc-https-listener-policy" {
    load_balancer_name = aws_elb.classic-load-balancer.name
    load_balancer_port = 443

    policy_names = [
        aws_load_balancer_policy.cc-ssl-negotiation-policy.policy_name
    ]
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the web-tier Classic Load Balancer that you want to reconfigure.

06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

07 Choose the HTTPS listener (i.e. the one with the Instance Protocol set to HTTPS) and click on the Change link available in the Cipher column to access SSL negotiation settings available for the selected listener.

08 In the Select a Cipher configuration box, select the Predefined Security Policy option, and choose the latest security policy available in the policy dropdown list. Choose Saveto apply the changes.

09 Repeat steps no. 5 – 8 for each web-tier Classic Load Balancer that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-load-balancer-policy command (OSX/Linux/UNIX) using the name of the web-tier Classic Load Balancer that you want to reconfigure as the identifier parameter, to create a new policy for the selected load balancer listener. In the below example, the new policy is configured with the latest predefined security policy available, named ELBSecurityPolicy-TLS13-1-2-2021-06 (the command does not produce an output): 

aws elb create-load-balancer-policy
  --load-balancer-name cc-frontend-load-balancer
  --policy-name cc-secure-negotiation-policy
  --policy-type-name SSLNegotiationPolicyType
  --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-TLS13-1-2-2021-06

02 Run set-load-balancer-policies-of-listener command (OSX/Linux/UNIX) to associate the new policy created at the previous step with the HTTPS listener of the web-tier load balancer that you want to reconfigure (the command does not produce an output): 

aws elb create-load-balancer-policy
  --load-balancer-name cc-frontend-load-balancer
  --policy-name cc-secure-negotiation-policy
  --policy-type-name SSLNegotiationPolicyType
  --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-TLS13-1-2-2021-06

03 Repeat steps no. 1 and 2 for each web-tier Classic Load Balancer that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date May 8, 2018

Related ELB rules