Description:
Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference.
Rationale:
If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified here to negotiate connections between the client and load balancer. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client.
Impact:
Elastic Load Balancing uses Secure Sockets Layer (SSL) negotiation configurations, known as security policies, to negotiate connections between the clients and the load balancer. When you use HTTPS/SSL for your front-end connections, you can use either a predefined security policy or a custom security policy.
Note: AWS predefined security policies are always preferred over custom security policies.
Default Value:
1. Elastic Load Balancing provides the following security policies for Application Load Balancers:
ELBSecurityPolicy-2016-08
(default)ELBSecurityPolicy-TLS-1-0-2015-04
ELBSecurityPolicy-TLS-1-1-2017-01
ELBSecurityPolicy-TLS-1-2-2017-01 etc.
2.
The default policy,
ELBSecurityPolicy-2016-08
, and the ELBSecurityPolicy-FS
policies
Audit:
To determine if your load balancers are using deprecated security policies, perform the following:
Log in to the AWS Management Console.
Open the EC2 dashboard at https://console.aws.amazon.com/ec2/.
In the left side panel, under LOAD BALANCING, click Load Balancers.
Select the Elastic Load Balancer to examine
Go to the Listeners tab
In the Cipher column of the HTTPS/SSL listener click Change:
In the Select a Cipher dialog box, identify which security policy is in use:
If the Custom Security Policy is selected, it is likely that the policy is not updated which makes the SSL negotiation configuration insecure and vulnerable to exploits. AWS predefined security policies are always preferred over custom security policies.
Using AWS CLI:
Command to determine which security policy is currently associated with the selected Elastic Load Balancer:
aws elb describe-load-balancer-policies --region <region-name> --load-balancer-name ABC --query 'PolicyDescriptions[*].PolicyName'
Remediation:
Pre-requisites:
Login in as an admin or IAM user with the required permissions
The RSA- and DSA-based ciphers are specific to the signing algorithm used to create an SSL certificate.
Implementation Steps:
Step 1: Log in to the AWS Management Console.
Step 2: Open the EC2 dashboard at https://console.aws.amazon.com/ec2/.
Step 3: Click on Load Balancers, in the left navigation pane
Step 4: Select the Elastic Load Balancer that you want to modify
Step 5: Go to the Listeners tab
Step 6: Select the listener you want to edit and click on the Edit button
Step 7: Select the HTTPS server
Step 8: Create the Target group
Step 9: In the page opened, go to the security policy section and click on the drop-down, select the most recent security policy available (ELBSecurityPolicy-2016-08)
Step 10: Click on Save changes
Using AWS CLI:
To set the load balancer security policy
aws elb set-load-balancer-policies-of-listener
--region us-east-1
--load-balancer-name MyWebELB
--load-balancer-port 443
--policy-names ELBSecurityPolicy-2016-08
Backout plan:
Step 1: Log in to the AWS Management Console.
Step 2: Open the EC2 dashboard at https://console.aws.amazon.com/ec2/.
Step 3: Click on Load Balancers, in the left navigation pane
Step 4: Select the Elastic Load Balancer that you want to modify
Step 5: Go to the Listeners tab
Step 6: Select the listener you want to edit and click on the edit button
Step 7: Apply HTTP server Click on save changes
CLI Commands
To add the HTTP server
aws elbv2 modify-listener
--listener-arn <value>
[--port 80]
[--protocol <value>]
References:
Predefined SSL security policies for Classic Load Balancers - Elastic Load Balancing