Web-Tier ELB Listener Security

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Enable HTTPS/SSL Listener for Web-Tier Load Balancers conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

04 In the main navigation panel, under Load Balancing, choose Load Balancers.

05 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

06 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>), then press Enter. This filtering technique will return only the load balancers tagged for the web tier. If no results are returned by the console, there are no Classic Load Balancers tagged within your web tier and the Audit process ends here. If the Amazon EC2 console returns one or more load balancers, continue the Audit with the next step.

07 Select the web-tier Classic Load Balancer that you want to examine.

08 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

09 Check the protocol of each listener configured for the selected load balancer, available in the Load Balancer Protocol column. If there are no listeners with the HTTPS (Secure HTTP) or the SSL (Secure TCP) protocol, the listeners configuration available for the selected web-tier Classic Load Balancer is not secure and the front-end connection between the clients and the load balancer is not encrypted.

10 Repeat steps no. 7 – 9 for each web-tier Classic Load Balancer provisioned within the current AWS region.

11 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Enable HTTPS/SSL Listener for Web-Tier Load Balancers conformity rule settings, and copy the tag set defined for the AWS cloud resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region:

aws elb describe-load-balancers
  --region us-east-1
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return an array with the requested load balancer name(s):

[
  "cc-frontend-load-balancer",
  "cc-project5-load-balancer"
]

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the tag sets defined for the selected load balancer:

aws elb describe-tags
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --query 'TagDescriptions[*].Tags[]'

05 The describe-tags command request should return one of the following outputs:

1. If the command output returns an empty array (i.e. []), as shown in the example below, the verified Classic Load Balancer is not tagged at all, therefore the Audit process for the selected resource ends here:
   []
   

2. If the describe-tags command output returns a tag set that is different from the one defined for your web/app/data tier, as shown in the example below, the verified load balancer is not a component of the web/app/data tier, therefore the Audit process for the selected resource ends here:
   [
     {
       "Value": "Environment",
       "Key": "Production"
     }
   ]
   

3. If the tag set returned by the describe-tags command output reveals that the selected load balancer is a component of a web tier, as shown in the example below, the Audit process continues with the next step:
   [
     {
       "Key": "<web_tier_tag>",
       "Value": "<web_tier_tag_value>"
     }
   ]
   

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the web-tier load balancer that you want to examine as the identifier parameter, to determine if the selected load balancer is using secure listeners (HTTPS or SSL):

aws elb describe-load-balancers
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --query "LoadBalancerDescriptions[*].{ListenerDescriptions:ListenerDescriptions[?Listener.Protocol == 'HTTPS' || Listener.Protocol == 'SSL']}"

07 The command output should list the HTTPS/SSL listeners configuration available for the selected load balancer:

[
  {
    "ListenerDescriptions": []
  }
]

08 Repeat steps no. 6 and 7 for each web-tier Classic Load Balancer provisioned in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Use HTTPS Listener for Web-Tier Classic Load Balancer",
  "Resources": {
    "ClassicLoadBalancer": {
      "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties" : {
        "LoadBalancerName" : "cc-frontend-load-balancer",
        "Scheme" : "internet-facing",
        "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
        "Subnets" : [ "subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234" ],
        "Instances" : [ "i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd" ],
        "HealthCheck": {
            "Target": "HTTP:80/index.html",
            "HealthyThreshold": "10",
            "UnhealthyThreshold": "2",
            "Interval": "50",
            "Timeout": "5"
        },
        "Listeners": [{
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [ "cc-secure-negotiation-policy" ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/cc-production-certificate"
        }],
        "Policies": [{
            "PolicyName": "cc-secure-negotiation-policy",
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [{
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
            }]
        }],
        "Tags" : [{
           "Key" : "<web_tier_tag>",
           "Value" : "<web_tier_tag_value>"
        }]
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Use HTTPS Listener for Web-Tier Classic Load Balancer
Resources:
  ClassicLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      LoadBalancerName: cc-frontend-load-balancer
      Scheme: internet-facing
      SecurityGroups:
        - sg-0abcdabcdabcdabcd
      Subnets:
        - subnet-0abcd1234abcd1234
        - subnet-0abcdabcdabcdabcd
        - subnet-01234abcd1234abcd
        - subnet-01234123412341234
      Instances:
        - i-0abcd1234abcd1234
        - i-0abcdabcdabcdabcd
      HealthCheck:
        Target: HTTP:80/index.html
        HealthyThreshold: '10'
        UnhealthyThreshold: '2'
        Interval: '50'
        Timeout: '5'
      Listeners:
        - InstancePort: '80'
          InstanceProtocol: HTTP
          LoadBalancerPort: '443'
          Protocol: HTTPS
          PolicyNames:
            - cc-secure-negotiation-policy
          SSLCertificateId: arn:aws:iam::123456789012:server-certificate/cc-production-certificate
      Policies:
        - PolicyName: cc-secure-negotiation-policy
          PolicyType: SSLNegotiationPolicyType
          Attributes:
            - Name: Reference-Security-Policy
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
      Tags:
        - Key: <web_tier_tag>
          Value: <web_tier_tag_value>

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_elb" "classic-load-balancer" {
  name               = "cc-frontend-load-balancer"
  internal           = false
  security_groups    = ["sg-0abcdabcdabcdabcd"]
  subnets            = ["subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234"]
  instances          = ["i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd"]

  health_check {
    healthy_threshold   = 10
    unhealthy_threshold = 2
    timeout             = 5
    target              = "HTTP:80/index.html"
    interval            = 50
  }

  # Use HTTPS Listener for Web-Tier Classic Load Balancer
  listener {
    instance_port      = 80
    instance_protocol  = "http"
    lb_port            = 443
    lb_protocol        = "https"
    ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/cc-production-certificate"
  }

  tags = {
      Name = "<web_tier_tag>"
      Value = "<web_tier_tag_value>"
  }

}

resource "aws_load_balancer_policy" "cc-ssl-negotiation-policy" {
  load_balancer_name = aws_elb.classic-load-balancer.name
  policy_name        = "cc-secure-negotiation-policy"
  policy_type_name   = "SSLNegotiationPolicyType"
  policy_attribute {
    name  = "Reference-Security-Policy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
  }
}

resource "aws_load_balancer_listener_policy" "cc-https-listener-policy" {
  load_balancer_name = aws_elb.classic-load-balancer.name
  load_balancer_port = 443
  policy_names = [
    aws_load_balancer_policy.cc-ssl-negotiation-policy.policy_name
  ]
}

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the web-tier Classic Load Balancer that you want to reconfigure.

06 Select the Listeners tab from the console bottom panel and choose Edit to update the listeners configuration.

07 Inside the Edit listeners configuration box, perform the following operations:

1. Choose Add to create a new listener.
2. Select HTTPS (Secure HTTP) or SSL (Secure TCP) from the Load Balancer Protocol dropdown list.
3. In the Cipher column, choose Change, select the Predefined Security Policy option, and choose the latest security policy available in the policy dropdown list (e.g. ELBSecurityPolicy-TLS-1-2-2017-01). If you want to use a custom policy, select Custom Security Policy and configure your own TLS/SSL policy. Choose Save to apply the changes.
4. In the SSL Certificate column, select Change, and choose one of the following options:
   • Select Choose a certificate from ACM (recommended) and select an existing SSL certificate purchased via Amazon Certificate Manager (ACM) from the Certificate dropdown list. If you haven’t purchased one yet, choose Request a new certificate from ACM and the AWS Management Console will redirect your request to the ACM service console where you can buy the required SSL/TLS certificate. Choose Save to apply the changes.
   • Select Choose a certificate from IAM and select an existing SSL/TLS certificate uploaded previously to Amazon IAM from the Certificate dropdown list. Choose Save to apply the changes.
   • Select Upload a certificate to IAM to deploy an existing SSL certificate by pasting the required information (in PEM-encoded format) to the Private key, Certificate body and Certificate chain (optional) boxes, information granted by the SSL provider from which you bought the certificate. Once the necessary keys are validated, enter a name for the new certificate in the Certificate name box. Choose Save to apply the changes.

08 Back to the Edit listeners box, review the configuration for the secure listener, then choose click Save to deploy the new listener. If successful, the following confirmation message should be displayed: "Finished updating listeners. Your listeners have been successfully updated.". Choose Close to return to the Amazon EC2 console.

09 Repeat steps no. 5 – 8 for each web-tier Classic Load Balancer that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

01 Depending on the AWS cloud service used to manage your TLS/SSL certificates, perform one of the following actions

1. Get the Amazon Resource Name (ARN) of the SSL certificate purchased via Amazon ACM. The certificate ARN will be required during HTTPS/SSL listener configuration:
   • Run list-certificates command (OSX/Linux/UNIX) to describe the ARN(s) and domain name(s) of the SSL certificate(s) purchased with Amazon ACM:
     aws acm list-certificates
     	--region us-east-1
     

   • The command output should return the requested information:
     {
       "CertificateSummaryList": [
          {
           "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
           "DomainName": "www.domain.com"
          }
       ]
     }
     

2. Get the ARN of your SSL certificate(s) uploaded to Amazon IAM:
   • Run list-server-certificates command (OSX/Linux/UNIX) to describe the metadata (certificate ARN(s), name(s), etc.), available for the SSL certificate(s) uploaded to Amazon IAM:
     aws iam list-server-certificates
     

   • The command output should return the requested metadata:
     {
       "ServerCertificateMetadataList": [
         {
           "ServerCertificateName": "cc-production-certificate",
           "Expiration": "2022-06-07T23:59:59Z",
           "Path": "/",
           "Arn": "arn:aws:iam::123456789012:server-certificate/cc-production-certificate",
           "UploadDate": "2021-06-07T23:59:59Z"
         }
       ]
     }
     

02 Run create-load-balancer-listeners command (OSX/Linux/UNIX) to create a new, secure HTTPS listener for your web-tier load balancer using the SSL certificate identified at the previous step. The following command example creates a front-end HTTPS listener for a web-tier load balancer named "cc-frontend-load-balancer" using an SSL certificate identified by the ARN "arn:aws:iam::123456789012:server-certificate/cc-production-certificate" (the command does not produce an output):

aws elb create-load-balancer-listeners
  --region us-east-1
  --load-balancer-name cc-frontend-load-balancer
  --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=arn:aws:iam::123456789012:server-certificate/cc-production-certificate

03 Repeat step no. 2 for each web-tier Classic Load Balancer that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.