Description:
Elastic Load Balancing (ELB) uses Secure Socket Layer (SSL) to encrypt traffic between clients and the load balancer. However, some ELBs may be using insecure SSL ciphers, which could make the connection between the client and the load balancer vulnerable to attack.
Rationale:
Using insecure SSL ciphers can expose your data to unauthorized access, modification, or disclosure. This could have serious consequences, such as financial loss, identity theft, or reputational damage.
Impact:
If an attacker is able to exploit an insecure SSL cipher, they could gain access to your data, such as credit card numbers, passwords, or other sensitive information. They could also use this access to modify or delete your data, or to disrupt your applications.
Default Value:
AWS recommends that you use the ELBSecurityPolicy-TLS-1-2-2017-01 security policy. This policy includes the most secure SSL ciphers available, and it is compatible with most clients.
Pre-Requisite:
To follow this policy, you will need to have access to the AWS Management Console or the AWS CLI. You will also need to know the ID of the ELB that you want to update.
Remediation Steps:
To remediate this issue, you can follow these steps:
- In the AWS Management Console, go to the Load Balancing page.
- Select the ELB that you want to update.
- Click the Listeners tab.
- For the HTTPS listener, click the Cipher column.
- Click Change.
- In the Select a Cipher panel, select the ELBSecurityPolicy-TLS-1-2-2017-01 security policy.
- Click Save.
Test Plan:
To test that the policy has been implemented correctly, you can use the following steps:
- Connect to the ELB using a client that supports the ELBSecurityPolicy-TLS-1-2-2017-01 security policy.
- Try to access a resource that is hosted on the ELB.
- If the connection is successful, then the policy has been implemented correctly.
Implementation Plan:
The following are the steps on how to implement this policy:
- Identify the ELBs that are using insecure SSL ciphers.
- Update the SSL ciphers on the ELBs to use the ELBSecurityPolicy-TLS-1-2-2017-01 security policy.
- Test that the policy has been implemented correctly.
AWS CLI Process:
To update the SSL ciphers on an ELB using the AWS CLI, you can use the following command:
aws elb modify-listener --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/500000000/tcp/443 --ciphers ELBSecurityPolicy-TLS-1-2-2017-01
Using AWS GUI:
To update the SSL ciphers on an ELB using the AWS GUI, you can follow these steps:
- Go to the AWS Management Console.
- Click on the Load Balancing service.
- Click on the Load Balancers tab.
- Select the ELB that you want to update.
- Click on the Listeners tab.
- For the HTTPS listener, click on the Cipher column.
- Click on the Change button.
- In the Select a Cipher panel, select the ELBSecurityPolicy-TLS-1-2-2017-01 security policy.
- Click on the Save button.
Backout Plan:
To revoke the changes that you made to the SSL ciphers on the ELB, you can follow these steps:
- In the AWS Management Console, go to the Load Balancing page.
- Select the ELB that you want to update.
- Click the Listeners tab.
- For the HTTPS listener, click the Cipher column.
- Click Change.
- In the Select a Cipher panel, select the ELBSecurityPolicy-2016-08 security policy.
- Click Save.
Note:
- This policy includes some insecure SSL ciphers, so it is not as secure as the ELBSecurityPolicy-TLS-1-2-2017-01 security policy.
- You should only use this policy as a temporary measure if you need to revoke the changes that you made to the SSL ciphers on the ELB.
Reference:
- AWS documentation on Elastic Load Balancing security policies: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
Section 2:
- Tags: security, ssl, ciphers, ELB
- Keywords: insecure, remediation, backout, policy