Homepage

ELB does not enforce latest TLS/SSL policy Affecting ELB service in AWS

Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Keys and Secrets/ Encryption Protocols

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
AWS-Well-ArchitectedCIS-ControlsCSA-CCMISO-27001NIST-800-53PCI-DSSSOC-2
  • Snyk IDSNYK-CC-00134
  • creditSnyk Research Team
Report a new misconfiguration Found a mistake?

Description

The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.

How to fix?

Set the appropriate SSL policy attribute for your load balancer to the latest AWS predefined security policy.

  • For aws_load_balancer_policy (predefined), set policy_attribute.name to Reference-Security-Policy and policy_attribute.value to a valid security policy.
  • For aws_load_balancer_policy (custom), set policy_attribute.name to a valid security policy and policy_attribute.value to true.

List of invalid policies:

  • Protocol-SSLv2
  • Protocol-SSLv3
  • Protocol-TLSv1
  • Protocol-TLSv1.1
  • ELBSecurityPolicy-2016-08
  • ELBSecurityPolicy-TLS-1-1-2017-01
  • ELBSecurityPolicy-2015-05
  • ELBSecurityPolicy-2015-03
  • ELBSecurityPolicy-2015-02
  • ELBSecurityPolicy-2014-10
  • ELBSecurityPolicy-2014-01
  • ELBSecurityPolicy-2011-08
  • ELBSample-ELBDefaultNegotiationPolicy
  • ELBSample-ELBDefaultCipherPolicy
  • ELBSample-OpenSSLDefaultNegotiationPolicy
  • ELBSample-OpenSSLDefaultCipherPolicy

Example configuration:

# aws_elb, predefined policy example
resource "aws_load_balancer_policy" "elb_policy" {
  load_balancer_name = "${aws_elb.elb.name}"
  policy_name        = "elb-ssl"
  policy_type_name   = "SSLNegotiationPolicyType"

  policy_attribute {
    name  = "Reference-Security-Policy"
    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
  }
}

# aws_elb, custom policy example
resource "aws_load_balancer_policy" "elb_policy" {
  load_balancer_name = "${aws_elb.elb.name}"
  policy_name        = "elb-ssl"
  policy_type_name   = "SSLNegotiationPolicyType"

  policy_attribute {
    name  = "ECDHE-ECDSA-AES128-GCM-SHA256"
    value = "true"
  }

  policy_attribute {
    name  = "Protocol-TLSv1.2"
    value = "true"
  }
}