Homepage
About Snyk

ELB does not enforce latest TLS/SSL policy Affecting ELB service in AWS

0.0
medium
0
10
    Severity Framework Snyk CCSS
    Rule category Keys and Secrets / Encryption Protocols

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    AWS-Well-Architected CIS-Controls CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00134
  • credit Snyk Research Team
Report a new misconfiguration Found a mistake?

Description

The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.

How to fix?

Set the appropriate SSL policy attribute for your load balancer to the latest AWS predefined security policy.

  • For aws_load_balancer_policy (predefined), set policy_attribute.name to Reference-Security-Policy and policy_attribute.value to a valid security policy.
  • For aws_load_balancer_policy (custom), set policy_attribute.name to a valid security policy and policy_attribute.value to true.

List of invalid policies:

  • Protocol-SSLv2
  • Protocol-SSLv3
  • Protocol-TLSv1
  • Protocol-TLSv1.1
  • ELBSecurityPolicy-2016-08
  • ELBSecurityPolicy-TLS-1-1-2017-01
  • ELBSecurityPolicy-2015-05
  • ELBSecurityPolicy-2015-03
  • ELBSecurityPolicy-2015-02
  • ELBSecurityPolicy-2014-10
  • ELBSecurityPolicy-2014-01
  • ELBSecurityPolicy-2011-08
  • ELBSample-ELBDefaultNegotiationPolicy
  • ELBSample-ELBDefaultCipherPolicy
  • ELBSample-OpenSSLDefaultNegotiationPolicy
  • ELBSample-OpenSSLDefaultCipherPolicy

Example Configuration

# aws_elb, predefined policy example
resource "aws_load_balancer_policy" "elb_policy" {
  load_balancer_name = "${aws_elb.elb.name}"
  policy_name        = "elb-ssl"
  policy_type_name   = "SSLNegotiationPolicyType"

  policy_attribute {
    name  = "Reference-Security-Policy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
  }
}

# aws_elb, custom policy example
resource "aws_load_balancer_policy" "elb_policy" {
  load_balancer_name = "${aws_elb.elb.name}"
  policy_name        = "elb-ssl"
  policy_type_name   = "SSLNegotiationPolicyType"

  policy_attribute {
    name  = "ECDHE-ECDSA-AES128-GCM-SHA256"
    value = "true"
  }

  policy_attribute {
    name  = "Protocol-TLSv1.2"
    value = "true"
  }
}