Description:

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference.


Rationale:

If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified here to negotiate connections between the client and load balancer. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client. 


Impact:

Elastic Load Balancing uses Secure Sockets Layer (SSL) negotiation configurations, known as security policies, to negotiate connections between the clients and the load balancer. When you use HTTPS/SSL for your front-end connections, you can use either a predefined security policy or a custom security policy.

Note: AWS predefined security policies are always preferred over custom security policies.


Default Value:

1. Elastic Load Balancing provides the following security policies for Application Load Balancers:

  • ELBSecurityPolicy-2016-08 (default)

  • ELBSecurityPolicy-TLS-1-0-2015-04

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-TLS-1-2-2017-01 etc.

2.The default policy, ELBSecurityPolicy-2016-08, and the ELBSecurityPolicy-FS policies 


Audit:

To determine if your load balancers are using deprecated security policies, perform the following:

  1. Log in to the AWS Management Console.

  2. Open the EC2 dashboard at https://console.aws.amazon.com/ec2/.

  3. In the left side panel, under LOAD BALANCING, click Load Balancers. 

  4. Select the Elastic Load Balancer to examine

  5. Go to the Listeners tab 

  6. In the Cipher column of the HTTPS/SSL listener click Change:

  7. In the Select a Cipher dialog box, identify which security policy is in use: 

If the Custom Security Policy is selected, it is likely that the policy is not updated which makes the SSL negotiation configuration insecure and vulnerable to exploits. AWS predefined security policies are always preferred over custom security policies. 


Using AWS CLI:

Command to determine which security policy is currently associated with the selected Elastic Load Balancer: 

aws elb describe-load-balancer-policies
--region <region-name>
--load-balancer-name ABC
--query 'PolicyDescriptions[*].PolicyName'

Remediation:

Pre-requisites:

  1. Login in as an admin or IAM user with the required permissions

  2. The RSA- and DSA-based ciphers are specific to the signing algorithm used to create an SSL certificate.

Implementation Steps:

Step 1: Log in to the AWS Management Console.

Step 2: Open the EC2 dashboard at https://console.aws.amazon.com/ec2/.

Step 3: Click on Load Balancers, in the left navigation pane

Step 4: Select the Elastic Load Balancer that you want to modify

Step 5: Go to the Listeners tab 

Step 6: Select the listener you want to edit and click on the Edit button

Step 7: Select the HTTPS server 

Step 8: Create the Target group

Step 9:  In the page opened, go to the security policy section and click on the drop-down, select the most recent security policy available (ELBSecurityPolicy-2016-08)

Step 10: Click on Save changes


 


Using AWS CLI:

To set the load balancer security policy 

aws elb set-load-balancer-policies-of-listener
  --region us-east-1
  --load-balancer-name MyWebELB
  --load-balancer-port 443
  --policy-names ELBSecurityPolicy-2016-08


Backout plan:

Step 1: Log in to the AWS Management Console.

Step 2: Open the EC2 dashboard at https://console.aws.amazon.com/ec2/.

Step 3: Click on Load Balancers, in the left navigation pane 

Step 4: Select the Elastic Load Balancer that you want to modify

Step 5: Go to the Listeners tab 

Step 6: Select the listener you want to edit and click on the edit button 

Step 7: Apply HTTP server Click on save changes

CLI Commands

To add the HTTP server

aws elbv2 modify-listener
--listener-arn <value>
[--port 80]
[--protocol <value>]


References:

Predefined SSL security policies for Classic Load Balancers - Elastic Load Balancing 

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies