Profile Applicability:

  • Level 1

Description:

Elastic Load Balancers (ELBs) in AWS manage traffic distribution across multiple targets, and SSL/TLS protocols are often used to secure traffic. However, some SSL/TLS ciphers are known to be insecure and vulnerable to attacks. These insecure ciphers, if not disabled, could pose a security risk to the applications and data being transmitted through the load balancer. This SOP ensures that Elastic Load Balancers are configured to avoid using insecure SSL ciphers.

Rationale:

  • Security: Older or weaker ciphers can be vulnerable to attacks such as man-in-the-middle attacks, cipher block chaining attacks, and other cryptographic weaknesses. Using insecure ciphers can compromise the confidentiality and integrity of data transmitted over the network.

  • Compliance: Many compliance standards (e.g., PCI-DSS, HIPAA) require the use of strong encryption protocols and the disabling of insecure ciphers to protect sensitive data.

  • Best Practices: Disabling weak ciphers ensures that the Elastic Load Balancer only uses secure SSL/TLS ciphers that provide strong encryption for data in transit.

Impact:

Pros:

  • Improved Security: Disabling insecure SSL/TLS ciphers enhances the security of data transmitted over the network.

  • Compliance: Helps meet encryption requirements of various security standards, such as PCI-DSS.

  • Reduced Risk: Reduces the risk of attacks targeting weak encryption algorithms.

Cons:

  • Compatibility Issues: Some older clients or systems may not support the updated, stronger SSL/TLS ciphers, leading to potential connection issues for certain users.

  • Configuration Overhead: It requires regular monitoring and updates to ensure that insecure ciphers are not being used by new or existing load balancers.

Default Value:

By default, Elastic Load Balancers use a set of ciphers that could include insecure or weak ciphers. It is important to configure the load balancer to use only secure ciphers.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeListeners

    • elasticloadbalancing:DescribeListenerCertificates

    • elasticloadbalancing:DescribeLoadBalancers

  • AWS CLI installed and configured.

  • Elastic Load Balancer set up and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

  3. In the Load Balancing section, select Load balancers.

  4. Choose the Elastic Load Balancer that you want to check.

  5. Under Listeners, select the listener associated with SSL/TLS.

  6. Click on View/edit certificates for SSL/TLS configurations.

  7. Verify that the SSL policy being used does not include insecure or deprecated ciphers, such as RC4, 3DES, SSLv3, or TLS 1.0/1.1.

  8. If insecure ciphers are being used, update the listener to use a stronger SSL policy.

Using AWS CLI:

  1. To describe the SSL/TLS cipher suites used by the Elastic Load Balancer, run the following command:

    aws elb describe-load-balancers --query 'LoadBalancerDescriptions[*].ListenerDescriptions[*].Listener.SslPolicy'

  2. Review the SSL/TLS policy and ensure that it does not include weak ciphers. For instance, TLS 1.0 or TLS 1.1 ciphers should not be used.

  3. If insecure ciphers are found, you can update the listener to use a stronger SSL policy by running:

    aws elb modify-load-balancer-listener --load-balancer-name <load-balancer-name> --load-balancer-port 443 --ssl-policy <strong-ssl-policy>

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to EC2.

  2. Under Load Balancing, select Load balancers and choose the Elastic Load Balancer to modify.

  3. Under the Listeners section, find the SSL listener (port 443).

  4. Click View/edit certificates and review the SSL policies configured.

  5. Ensure that the SSL policy does not include insecure ciphers (such as SSLv3 or TLS 1.0/1.1).

  6. If insecure ciphers are found, change the SSL policy to one that uses strong encryption ciphers (e.g., ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-2016-08).

  7. Save the changes.

Using AWS CLI:

  1. To update the SSL policy for the load balancer, run:

    aws elb modify-load-balancer-listener --load-balancer-name <load-balancer-name> --load-balancer-port 443 --ssl-policy <new-ssl-policy>

  2. Confirm that the updated SSL policy does not include insecure ciphers:

    aws elb describe-load-balancers --query 'LoadBalancerDescriptions[*].ListenerDescriptions[*].Listener.SslPolicy'

Backout Plan:

Using AWS Console:

  1. If enabling strong ciphers causes issues, sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing, select the Load Balancer, and go to the Listeners tab.

  3. Edit the SSL configuration and select a previous SSL security policy.

  4. Save the changes and verify that the application works with the previous policy.

Using AWS CLI:

  1. To revert the SSL policy to the previous one, run:

    aws elb modify-listener --load-balancer-name <LOAD_BALANCER_NAME> --listener <LISTENER_ID> --ssl-policy <PREVIOUS_SSL_POLICY>


  2. Verify that the listener is using the previous SSL policy:

    aws elb describe-listeners --load-balancer-name <LOAD_BALANCER_NAME>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.