Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ELBv2 ALB Security Policy

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ELBv2-003

Ensure that your Amazon Application Load Balancers (ALBs) are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.

The latest ELB security policies are:

  • ELBSecurityPolicy-TLS13-1-2-2021-06
  • ELBSecurityPolicy-TLS13-1-3-2021-06
  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06
Predefined configurations that support TLS versions earlier than TLS 1.2 are no longer recommended. TLS 1.0 and 1.1 have been deprecated by the industry. Cipher suites should also support Perfect Forward Secrecy (PFS).

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using insecure and deprecated security policies for the SSL negotiation configuration set for your Application Load Balancer (ALB) will expose the connection between the client and the load balancer to various SSL/TLS vulnerabilities. To maintain your load balancer SSL configuration secure, Trend Cloud One™ – Conformity recommends using one of the latest predefined security policies released by Amazon Web Services (AWS).


Audit

To determine if your Application Load Balancers (ALBs) are using deprecated security policies, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to examine.

06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

07 Select the HTTPS listener (i.e. the one with the ID HTTPS : 443) and verify the name of the security policy listed in the Security policy column. If the security policy used by the load balancer employs outdated protocols and ciphers, the negotiation configuration of the selected Amazon Application Load Balancer (ALB) is insecure and vulnerable to exploits.

08 Repeat steps no. 5 – 7 for each Application Load Balancer provisioned within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Application Load Balancer available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn | []'

02 The command output should return an array with the requested load balancer ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-load-balancer/aaaabbbbccccdddd"
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the security policy used by the SSL negotiation configuration set for the selected load balancer:

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd
  --query 'Listeners[*].SslPolicy'

04 The command output should return the name of the security policy in use:

[
    "ELBSecurityPolicy-2016-08"
]

If the name of the policy returned by the describe-listeners command output does not return one of the latest security policies, the load balancer employs outdated protocols and ciphers, therefore the negotiation configuration of the selected Application Load Balancer (ALB) is insecure and vulnerable to exploits.

05 Repeat steps no. 3 and 4 for each Application Load Balancer provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update the listener configuration of your Amazon Application Load Balancers (ALBs) in order to use the latest predefined security policy, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Apply the Latest Predefined Security Policy",
    "Resources": {
        "ApplicationLoadBalancer": {
            "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
            "Properties" : {
                "Name" : "cc-internet-facing-load-balancer",
                "Type" : "application",
                "Scheme" : "internet-facing",
                "IpAddressType" : "ipv4",
                "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
                "Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
            }
        },
        "HTTPSListener": {
            "Type" : "AWS::ElasticLoadBalancingV2::Listener",
            "Properties" : {
                "Protocol" : "HTTPS",
                "Port" : 443,
                "LoadBalancerArn": {
                        "Ref" : "ApplicationLoadBalancer"
                },
                "DefaultActions": [
                    {
                        "Type" : "forward",
                        "TargetGroupArn" : "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd"
                    }
                ],
                "Certificates" : [ 
                    {
                        "CertificateArn" : "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
                    } 
                ],
                "SslPolicy" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Apply the Latest Predefined Security Policy
    Resources:
        ApplicationLoadBalancer:
        Type: AWS::ElasticLoadBalancingV2::LoadBalancer
        Properties:
            Name: cc-internet-facing-load-balancer
            Type: application
            Scheme: internet-facing
            IpAddressType: ipv4
            SecurityGroups:
            - sg-0abcdabcdabcdabcd
            Subnets:
            - subnet-01234abcd1234abcd
            - subnet-0abcd1234abcd1234
        HTTPSListener:
        Type: AWS::ElasticLoadBalancingV2::Listener
        Properties:
            Protocol: HTTPS
            Port: 443
            LoadBalancerArn: !Ref 'ApplicationLoadBalancer'
            DefaultActions:
            - Type: forward
                TargetGroupArn: arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd
            Certificates:
            - CertificateArn: arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate
            SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 4.0"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
    name               = "cc-internet-facing-load-balancer"
    load_balancer_type = "application"
    internal           = false
    ip_address_type    = "ipv4"
    security_groups    = ["sg-0abcdabcdabcdabcd"]
    subnets            = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}

resource "aws_lb_listener" "https-listener" {

    load_balancer_arn = aws_lb.application-load-balancer.arn
    protocol          = "HTTPS"
    port              = "443"
    certificate_arn   = "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"

    default_action {
        type             = "forward"
        target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/aaaabbbbccccdddd"
    }

    # Apply the Latest Predefined Security Policy
    ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list all the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to reconfigure.

06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

07 Select the HTTPS listener (i.e. the one with the ID HTTPS : 443) and choose Edit.

08 On the Edit listener configuration page, in the Secure listener settings section, choose one of the latest policies from the Security policy dropdown list, depending on your use case. Choose Save changes to apply the changes. Select View listeners to return to the EC2 console.

09 Repeat steps no. 5 – 8 for each Application Load Balancer that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

The below example applies the security policy ELBSecurityPolicy-TLS13-1-2-2021-06. Depending on your use case, you may use a different security policy.

01 Run describe-listeners command (OSX/Linux/UNIX) with custom query filters to describe the ARN of the HTTPS listener set for the Application Load Balancer that you want to reconfigure:

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd
  --query 'Listeners[?(Protocol == `HTTPS`)].ListenerArn | []'

02 The command output should return the ARN of the HTTPS listener:

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd/1234aaaa1234bbbb"
]

03 Run modify-listener command (OSX/Linux/UNIX) using the ARN of the HTTPS listener that you want to reconfigure as the identifier parameter, to change the predefined security policy for the selected load balancer listener:

aws elbv2 modify-listener
  --region us-east-1
  --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd/1234aaaa1234bbbb
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06

04 The command output should return the configuration information available for the modified HTTPS listener:

{
    "Listeners": [
        {
            "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd/1234aaaa1234bbbb",
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
            "Port": 443,
            "Protocol": "HTTPS",
            "Certificates": [
                {
                    "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
                }
            ],
            "SslPolicy": "ELBSecurityPolicy-TLS13-1-2-2021-06",
            "DefaultActions": [
                {
                    "Type": "forward",
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/abcd1234abcd1234",
                    "Order": 1,
                    "ForwardConfig": {
                        "TargetGroups": [
                            {
                                "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/abcd1234abcd1234",
                                "Weight": 1
                            }
                        ],
                        "TargetGroupStickinessConfig": {
                            "Enabled": false,
                            "DurationSeconds": 3600
                        }
                    }
                }
            ]
        }
    ]
}

05 Repeat steps no. 1 – 4 for each Application Load Balancer that you want to reconfigure, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Nov 25, 2017