Network Load Balancer Security Policy

Risk Level: Medium (should be achieved)

Rule ID: ELBv2-009

Ensure that your Amazon Network Load Balancers (NLBs) are using the latest recommended predefined security policy for TLS negotiation configuration in order to protect their front-end connections against TLS vulnerabilities and meet regulatory requirements.

The latest ELB security policies are:

ELBSecurityPolicy-TLS13-1-2-2021-06
ELBSecurityPolicy-TLS13-1-3-2021-06
ELBSecurityPolicy-TLS13-1-2-Res-2021-06

This rule can help you with the following compliance standards:

PCI
APRA
MAS
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using a deprecated security policy for the TLS negotiation configuration set for your Network Load Balancer (NLB) will expose the connection between the client and the load balancer to various vulnerabilities. To maintain your NLB TLS configuration secure, Trend Cloud One™ – Conformity recommends using the latest predefined security policy released by Amazon Web Services (AWS), i.e. ELBSecurityPolicy-TLS13-1-2-2021-06. This security policy includes TLS 1.3, which is optimized for security and performance, and is backward compatible with TLS 1.2.

Note: Amazon Network Load Balancers do not support custom security policies.

Audit

To determine if your Network Load Balancers (NLBs) are using deprecated security policies, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose network to list the Network Load Balancers deployed in the current AWS region.

05 Select the Network Load Balancer (NLB) that you want to examine.

06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

07 Select the TLS listener (i.e. the one with the ID TLS : 443) and check the name of the security policy listed in the Security policy column. If the name of the policy is different than ELBSecurityPolicy-TLS13-1-2-2021-06, the security policy used by the load balancer employs outdated protocols and ciphers, therefore the TLS negotiation configuration of the selected Amazon Network Load Balancer (NLB) is vulnerable to exploits.

08 Repeat steps no. 5 – 7 for each Network Load Balancer provisioned within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Network Load Balancer deployed in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `network`)].LoadBalancerArn | []'

02 The command output should return an array with the requested load balancer ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-project5-load-balancer/aabbccddaabbccdd"
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the security policy used by the TLS negotiation configuration set for the selected load balancer:

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd
  --query 'Listeners[*].SslPolicy'

04 The command output should return the name of the security policy in use:

[
    "ELBSecurityPolicy-TLS-1-0-2015-04"
]

If the name of the policy returned by the describe-listeners command output is different than ELBSecurityPolicy-TLS13-1-2-2021-06, the security policy used by the load balancer employs outdated protocols and ciphers, therefore the TLS negotiation configuration of the selected Network Load Balancer (NLB) is vulnerable to exploits.

05 Repeat steps no. 3 and 4 for each Network Load Balancer provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update the listener configuration of your Amazon Network Load Balancers (NLBs) in order to use the latest predefined security policy, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Apply the Latest Predefined Security Policy",
    "Resources": {
        "NetworkLoadBalancer": {
            "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
            "Properties" : {
                "Name" : "cc-network-load-balancer",
                "Type" : "network",
                "Scheme" : "internet-facing",
                "IpAddressType" : "ipv4",
                "Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
            }
        },
        "TLSSListener": {
            "Type" : "AWS::ElasticLoadBalancingV2::Listener",
            "Properties" : {
                "Protocol" : "TLS",
                "Port" : 443,
                "LoadBalancerArn": {
                        "Ref" : "NetworkLoadBalancer"
                },
                "DefaultActions": [
                    {
                        "Type" : "forward",
                        "TargetGroupArn" : "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444"
                    }
                ],
                "Certificates" : [ 
                    {
                        "CertificateArn" : "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
                    } 
                ],
                "SslPolicy" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Apply the Latest Predefined Security Policy
    Resources:
        NetworkLoadBalancer:
        Type: AWS::ElasticLoadBalancingV2::LoadBalancer
        Properties:
            Name: cc-network-load-balancer
            Type: network
            Scheme: internet-facing
            IpAddressType: ipv4
            Subnets:
            - subnet-01234abcd1234abcd
            - subnet-0abcd1234abcd1234
        TLSSListener:
        Type: AWS::ElasticLoadBalancingV2::Listener
        Properties:
            Protocol: TLS
            Port: 443
            LoadBalancerArn: !Ref 'NetworkLoadBalancer'
            DefaultActions:
            - Type: forward
                TargetGroupArn: arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444
            Certificates:
            - CertificateArn: arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate
            SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 4.0"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    region  = "us-east-1"
}

resource "aws_lb" "network-load-balancer" {
    name               = "cc-network-load-balancer"
    load_balancer_type = "network"
    internal           = false
    ip_address_type    = "ipv4"
    subnets            = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}

resource "aws_lb_listener" "tls-listener" {

    load_balancer_arn = aws_lb.network-load-balancer.arn
    protocol          = "TLS"
    port              = "443"
    certificate_arn   = "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"

    default_action {
        type             = "forward"
        target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/1111222233334444"
    }

    # Apply the Latest Predefined Security Policy
    ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose network to list all the Network Load Balancers deployed in the current AWS region.

05 Select the Network Load Balancer (NLB) that you want to reconfigure.

06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

07 Select the TLS listener (i.e. the one with the ID TLS : 443) and choose Edit.

08 On the Edit listener configuration page, in the Secure listener settings section, choose the following policy from the Security policy dropdown list: ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended). Choose Save changes to apply the changes. Select View listeners to return to the Amazon EC2 console.

09 Repeat steps no. 5 – 8 for each Network Load Balancer that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-listeners command (OSX/Linux/UNIX) with custom query filters to describe the ARN of the TLS listener set for the Network Load Balancer that you want to reconfigure:

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd
  --query 'Listeners[?(Protocol == `TLS`)].ListenerArn | []'

02 The command output should return the ARN of the TLS listener:

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-network-load-balancer/abcdabcdabcdabcd/01234567abcdabcd"
]

03 Run modify-listener command (OSX/Linux/UNIX) using the ARN of the TLS listener returned at the previous step as the identifier parameter, to replace the predefined security policy for the selected NLB listener with the latest predefined one (i.e. ELBSecurityPolicy-TLS13-1-2-2021-06):

aws elbv2 modify-listener
  --region us-east-1
  --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-network-load-balancer/abcdabcdabcdabcd/01234567abcdabcd
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06

04 The command output should return the configuration information available for the modified TLS listener:

{
    "Listeners": [
        {
            "Protocol": "TLS",
            "DefaultActions": [
                {
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/abcd1234abcd1234",
                    "Type": "forward",
                    "Order": 1
                }
            ],
            "SslPolicy": "ELBSecurityPolicy-TLS13-1-2-2021-06",
            "Certificates": [
                {
                    "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
                }
            ],
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-load-balancer/abcdabcdabcdabcd",
            "Port": 443,
            "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-network-load-balancer/abcdabcdabcdabcd/01234567abcdabcd"
        }
    ]
}

05 Repeat steps no. 1 – 4 for each Network Load Balancer that you want to reconfigure, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Documentation
Elastic Load Balancing FAQs
Listeners for your Network Load Balancers
TLS listeners for your Network Load Balancer

AWS Command Line Interface (CLI) Documentation
elbv2
describe-load-balancers
describe-listeners
modify-listener

CloudFormation Documentation
Elastic Load Balancing V2 resource type reference

Terraform Documentation
AWS Provider

Publication date Mar 1, 2019

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related ELBv2 rules