Remove Weak Ciphers for ELB

Remove insecure ciphers for your ELB Predefined or Custom Security Policy, to reduce the risk of the SSL connection between the client and the load balancer being exploited.

Risk Level: High
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.AWS.CRY.06
Category: Networking & Content Delivery

GSL LOGIC

ELB should not have elbListeners with [ policies contain [ attributes contain-any [$ in ('DHE-DSS-AES128-SHA','CAMELLIA128-SHA','EDH-RSA-DES-CBC3-SHA','DES-CBC3-SHA','ECDHE-RSA-RC4-SHA','RC4-SHA','ECDHE-ECDSA-RC4-SHA','DHE-DSS-AES256-GCM-SHA384','DHE-RSA-AES256-GCM-SHA384','DHE-RSA-AES256-SHA256','DHE-DSS-AES256-SHA256','DHE-RSA-AES256-SHA','DHE-DSS-AES256-SHA','DHE-RSA-CAMELLIA256-SHA','DHE-DSS-CAMELLIA256-SHA','CAMELLIA256-SHA','EDH-DSS-DES-CBC3-SHA','DHE-DSS-AES128-GCM-SHA256','DHE-RSA-AES128-GCM-SHA256','DHE-RSA-AES128-SHA256','DHE-DSS-AES128-SHA256','DHE-RSA-CAMELLIA128-SHA','DHE-DSS-CAMELLIA128-SHA','ADH-AES128-GCM-SHA256','ADH-AES128-SHA','ADH-AES128-SHA256','ADH-AES256-GCM-SHA384','ADH-AES256-SHA','ADH-AES256-SHA256','ADH-CAMELLIA128-SHA','ADH-CAMELLIA256-SHA','ADH-DES-CBC3-SHA','ADH-DES-CBC-SHA','ADH-RC4-MD5','ADH-SEED-SHA','DES-CBC-SHA','DHE-DSS-SEED-SHA','DHE-RSA-SEED-SHA','EDH-DSS-DES-CBC-SHA','EDH-RSA-DES-CBC-SHA','IDEA-CBC-SHA','RC4-MD5','SEED-SHA','DES-CBC3-MD5','DES-CBC-MD5','RC2-CBC-MD5','PSK-AES256-CBC-SHA','PSK-3DES-EDE-CBC-SHA','KRB5-DES-CBC3-SHA','KRB5-DES-CBC3-MD5','PSK-AES128-CBC-SHA','PSK-RC4-SHA','KRB5-RC4-SHA','KRB5-RC4-MD5','KRB5-DES-CBC-SHA','KRB5-DES-CBC-MD5','EXP-EDH-RSA-DES-CBC-SHA','EXP-EDH-DSS-DES-CBC-SHA','EXP-ADH-DES-CBC-SHA','EXP-DES-CBC-SHA','EXP-RC2-CBC-MD5','EXP-KRB5-RC2-CBC-SHA','EXP-KRB5-DES-CBC-SHA','EXP-KRB5-RC2-CBC-MD5','EXP-KRB5-DES-CBC-MD5','EXP-ADH-RC4-MD5','EXP-RC4-MD5','EXP-KRB5-RC4-SHA','EXP-KRB5-RC4-MD5') ] ] ]

REMEDIATION

From Portal
Step 1 is to Navigate the Load Balancer section for each instance that failed the rule and then the Listener tab. Replace HTTP listeners with HTTPS listeners.
Step 2 is to check the security policy. If an existing HTTPS Listener has a security policy based on TLS 1.0 (e.g., 2015), replace it with a policy based on TLS 1.1 or 1.2 (e.g., 2016 or 2017). This will replace weak ciphers with recommended, stronger ciphers. Alternatively, you can select a specific cipher.

  1. Login to the AWS Management Console.
  2. Navigate to EC2 dashboard.
  3. In the navigation panel, under Load balancing, click Load Balancers.
  4. Select your Elastic Load Balancer.
  5. Select the Listeners tab from the bottom panel. In the Cipher column of the HTTPS listener, click Change.
  6. In the Select a Cipher dialog box, select one of the following options configurations:
    a. Predefined Security Policy: Select the latest predefined security policy from the list named ELBSecurityPolicy-2016-08 and click save.
    b. Uncheck any insecure or deprecated cipher from the SSL Ciphers section.

Follow this link to see a list of all the insecure ciphers that require to be removed: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html

From TF

resource "aws_load_balancer_policy" "test" {
	load_balancer_name = aws_elb.wu-tang.name
	policy_name        = "wu-tang-ssl"
	policy_type_name   = "SSLNegotiationPolicyType"
	
	policy_attribute {
		+   name  = "Protocol-TLSv1.2"
		value = "true"
	}
}

From Command Line

  1. Run describe-load-balancer-policies command to find the predefined security policies provided by aws.
aws elb describe-load-balancer-policies --query TYPE_QUERY --output table
  1. Run create-load-balancer-policy command to create a predefined security policy using one of the SSL configurations listed in the first step. We recommend to use the latest predefined policy for your ELB.
aws elb create-load-balancer-policy --load-balancer-name LOAD_BALANCER_NAME --policy-name POLICY_NAME --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2016-08
  1. Run create-load-balancer-policy command to create a custom ELB SSL security policy that contains secure ciphers.
aws elb create-load-balancer-policy --load-balancer-name LOAD_BALANCER_NAME --policy-name POLICY_NAME --policy-type-name SSL_NEGOTIATION_POLICY_TYPE --policy-attributes AttributeName=Protocol-TLSv1.2,AttributeValue=true AttributeName=Protocol-TLSv1.1,AttributeValue=true AttributeName=ECDHE-RSA-AES128-SHA,AttributeValue=true AttributeName=Server-Defined-Cipher-Order,AttributeValue=true

References

  1. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html
  2. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy

Elastic Load Balancing (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0