Severity Framework
Snyk CCSS
Rule category
Keys and Secrets / Encryption Protocols
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CIS-Controls
CSA-CCM
ISO-27001
NIST-800-53
PCI-DSS
SOC-2
- Snyk ID SNYK-CC-00134
- credit Snyk Research Team
Description
The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.
How to fix?
Set the appropriate SSL policy attribute for your load balancer to the latest AWS predefined security policy.
- For
aws_load_balancer_policy
(predefined), setpolicy_attribute.name
toReference-Security-Policy
andpolicy_attribute.value
to a valid security policy. - For
aws_load_balancer_policy
(custom), setpolicy_attribute.name
to a valid security policy andpolicy_attribute.value
totrue
.
List of invalid policies:
- Protocol-SSLv2
- Protocol-SSLv3
- Protocol-TLSv1
- Protocol-TLSv1.1
- ELBSecurityPolicy-2016-08
- ELBSecurityPolicy-TLS-1-1-2017-01
- ELBSecurityPolicy-2015-05
- ELBSecurityPolicy-2015-03
- ELBSecurityPolicy-2015-02
- ELBSecurityPolicy-2014-10
- ELBSecurityPolicy-2014-01
- ELBSecurityPolicy-2011-08
- ELBSample-ELBDefaultNegotiationPolicy
- ELBSample-ELBDefaultCipherPolicy
- ELBSample-OpenSSLDefaultNegotiationPolicy
- ELBSample-OpenSSLDefaultCipherPolicy
Example Configuration
# aws_elb, predefined policy example
resource "aws_load_balancer_policy" "elb_policy" {
load_balancer_name = "${aws_elb.elb.name}"
policy_name = "elb-ssl"
policy_type_name = "SSLNegotiationPolicyType"
policy_attribute {
name = "Reference-Security-Policy"
value = "ELBSecurityPolicy-TLS-1-2-2017-01"
}
}
# aws_elb, custom policy example
resource "aws_load_balancer_policy" "elb_policy" {
load_balancer_name = "${aws_elb.elb.name}"
policy_name = "elb-ssl"
policy_type_name = "SSLNegotiationPolicyType"
policy_attribute {
name = "ECDHE-ECDSA-AES128-GCM-SHA256"
value = "true"
}
policy_attribute {
name = "Protocol-TLSv1.2"
value = "true"
}
}