Logo of Trend Micro

App-Tier ELB Security Policy

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (not acceptable risk)
Rule ID: ELB-016

Ensure that your app-tier Elastic Load Balancers (ELBs) listeners are using the latest AWS security policy for their SSL negotiation configuration. An SSL security policy is a combination of SSL/TLS protocols and ciphers used by your AWS ELBs to negotiate SSL/TLS connections between application clients and the load balancers. This conformity rule assumes that all AWS resources provisioned within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on the Cloud Conformity account dashboard.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you use the latest SSL security policy for your app-tier ELBs you make sure that the SSL/TLS connection is negotiated using only the necessary cryptographic protocols deemed safe with no proven vulnerabilities. This will secure the connection between the clients and the AWS ELB, and protect against security vulnerabilities such as Logjam and FREAK, that may allow attackers to decrypt secure communications between vulnerable clients and your load balancer.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To determine if your app-tier ELBs are using the latest SSL security policy, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access App-Tier ELB Security Policy conformity rule settings and copy the tag set defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under LOAD BALANCING, click Load Balancers.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering method will return only the ELBs tagged for the app tier. If no results are returned, there are no ELBs tagged within your app tier and the rule audit stops here. If the EC2 dashboard lists one or more load balancers, continue the process audit with the next step.

06 Select the app-tier ELB that you want to examine.

07 Select the Listeners tab from the bottom panel.

08 In the Cipher column of the HTTPS/SSL listener, click Change to access the SSL negotiation settings for the selected listener.

09 Inside Select a Cipher dialog box, check the current settings to determine which SSL security policy is in use:

  1. If the Predefined Security Policy option is selected and the security policy in use is not the latest one available (the latest policy released by AWS can be identified by the date appended to its name or by using this URL), the listener SSL negotiation configuration is insecure and vulnerable to exploits.
  2. If the Custom Security Policy option is selected, it is likely that the policy is not updated and this makes the SSL negotiation configuration insecure and vulnerable to exploits. AWS predefined security policies are always preferred over custom security policies as the ones released by AWS utilize the newest and most secure SSL protocols and ciphers.

10 Repeat steps no. 6 – 9 to check the SSL negotiation configuration for other load balancers created for your app tier in the selected AWS region.

11 Change the AWS region from the navigation bar and repeat steps no. 5 – 10 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access App-Tier ELB Security Policy conformity rule settings and copy the tag set defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs available in the selected AWS region: 

aws elb describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested ELB names: 

-------------------------
| DescribeLoadBalancers |
+-----------------------+
|   cc-prod-app-elb     |
|   cc-app-test-elb     |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the selected ELB resource: 

aws elb describe-tags
	--region us-east-1
	--load-balancer-name cc-prod-app-elb
	--query 'TagDescriptions[*].Tags[]'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array, as shown in the example below, the verified ELB is not tagged, therefore the audit process for the selected resource stops here: 
    []
  2. If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified ELB does not belong to your app tier, therefore the audit process for the selected resource stops here: 
    [
    {
        "Value": "Owner",
        "Key": "Administrator"
    }
]
  3. If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified AWS ELB is tagged as a app-tier resource, therefore the audit process continues with the next step: 
    [
    {
        "Value": "<app_tier_tag_value>",
        "Key": "<app_tier_tag>"
    }
]

06 Run describe-load-balancer-policies command (OSX/Linux/UNIX) using the name of the app-tier ELB identified at the previous step to describe the name of the SSL negotiation policy used by the selected app-tier ELB HTTPS/SSL listener: 

aws elb describe-load-balancer-policies
	--region us-east-1
	--load-balancer-name cc-prod-app-elb
	--query 'PolicyDescriptions[*].PolicyName'

07 The command output should return the name of the negotiation policy in use: 

[
    "AWSConsole-SSLNegotiationPolicy-cc-prod-app-elb-123456789012",
]

08 Run describe-load-balancer-policies command (OSX/Linux/UNIX) using the name of the SSL negotiation policy returned at the previous step as identifier to describe the policy metadata and determine if the selected app-tier ELB is using the latest SSL security policy: 

aws elb describe-load-balancer-policies
	--region us-east-1
	--load-balancer-name cc-prod-app-elb
	--query 'PolicyDescriptions[*].PolicyName'
	--policy-name AWSConsole-SSLNegotiationPolicy-cc-prod-app-elb-123456789012

09 The command output should return the configuration metadata for the selected SSL negotiation policy: 

{
    "PolicyDescriptions": [
        {
            "PolicyAttributeDescriptions": [
                {
                    "AttributeName": "Reference-Security-Policy",
                    "AttributeValue": "ELBSecurityPolicy-2015-05"
                },

                ...

                {
                    "AttributeName": "EXP-KRB5-RC4-MD5",
                    "AttributeValue": "false"
                }
            ],
            "PolicyName": "AWSConsole-SSLNegotiationPolicy-cc-prod-app-elb",
            "PolicyTypeName": "SSLNegotiationPolicyType"
        }
    ]
}

To determine the name of the SSL security policy in use, search the command output returned for the AttributeName parameter named Reference-Security-Policy and its correspondent AttributeValue value (highlighted). If the AttributeValue parameter value is different than the name of the latest security policy available (the latest policy released by AWS can be identified by the date added to its name or by using this URL), the listener SSL negotiation configuration set for the selected app-tier ELB is insecure and vulnerable to exploits. If the AttributeValue parameter value returned is different than the name of the predefined security policies listed at this URL, the policy used is custom and most likely not updated which makes it vulnerable to exploits. AWS predefined security policies are always preferred over custom security policies as the ones released by AWS use the most secure SSL protocols and ciphers.

10 Repeat steps no. 4 – 9 to check the SSL negotiation configuration for other load balancers created for your app tier in the selected AWS region.

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 10 to perform the audit process for other regions.

Remediation / Resolution

To enable the latest predefined SSL security policy for your app-tier ELBs, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the app-tier ELB that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Listeners tab from the bottom panel and click the Edit button under the available listener(s).

06 Inside the Edit listeners dialog box, choose the HTTPS/SSL protocol in use and in the Cipher column click Change to edit the SSL negotiation settings for the selected listener.

07 Within Select a Cipher dialog box, select Predefined Security Policy checkbox and choose the latest security policy available in the dropdown list (e.g. "ELBSecurityPolicy-2016-08"). Once the appropriate SSL security policy is selected, click Save to apply the changes.

08 Repeat steps no. 4 – 7 to enable the latest predefined SSL security policy for other app-tier ELBs provisioned in the selected region.

09 Change the AWS region from the navigation bar and repeat steps no. 4 – 8 for other regions.

Using AWS CLI

01 Run set-load-balancer-policies-of-listener command (OSX/Linux/UNIX) to update the HTTPS/SSL listener for the app-tier ELB that you want to reconfigure (see Audit section part II to identify the right resource). The following command example updates the HTTPS/SSL listener policy for an ELB named "cc-prod-app-elb" using the latest predefined policy released by AWS, e.g. "ELBSecurityPolicy-2016-08", (the command does not return an output): 

aws elb set-load-balancer-policies-of-listener
	--region us-east-1
	--load-balancer-name cc-prod-app-elb
	--load-balancer-port 443
	--policy-names ELBSecurityPolicy-2016-08

02 Repeat step no. 2 to apply the latest predefined SSL security policy to other app-tier ELBs available within the selected region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 for other regions.

References

Publication date Mar 8, 2018

Related ELB rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

App-Tier ELB Security Policy

Risk level: Medium