Skip to main content

More Info:

Elastic Load Balancers should be using the latest AWS predefined security policies.

Risk Level

Medium

Address

Security

Compliance Standards

AWSWAF, PCIDSS

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration “ELBs Must Use Latest AWS Security Policies” for AWS, you can follow the below steps using the AWS Console:
  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 service and select “Load Balancers” from the left-hand menu.
  3. Select the ELB that needs to be remediated.
  4. Click on the “Listeners” tab.
  5. Check if the “HTTPS” protocol is being used. If it is, then click on the “Edit” button next to the listener.
  6. Under “Security Policy”, select the latest security policy from the drop-down list.
  7. Click on the “Save” button to apply the changes.
By following these steps, you will remediate the misconfiguration “ELBs Must Use Latest AWS Security Policies” for AWS using the AWS console.

To remediate the misconfiguration “ELBs Must Use Latest AWS Security Policies” for AWS using AWS CLI, follow the below steps:
  1. Check the current security policy of the ELB using the following command:
aws elb describe-load-balancers --load-balancer-names <ELB_Name> --query "LoadBalancerDescriptions[].PolicyNames[]"
  1. Check the latest security policy available using the following command:
aws elb describe-load-balancer-policies --policy-names AWSConsole-SSLNegotiationPolicy-2016-08
  1. Create a new policy using the latest security policy available using the following command:
aws elb create-load-balancer-policy --load-balancer-name <ELB_Name> --policy-name AWSConsole-SSLNegotiationPolicy-2016-08 --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-TLS-1-2-2017-01
  1. Apply the newly created policy to the ELB using the following command:
aws elb set-load-balancer-policies-for-backend-server --load-balancer-name <ELB_Name> --instance-port 443 --policy-names AWSConsole-SSLNegotiationPolicy-2016-08
  1. Verify that the new policy is applied to the ELB using the following command:
aws elb describe-load-balancers --load-balancer-names <ELB_Name> --query "LoadBalancerDescriptions[].PolicyNames[]"
After following these steps, the ELB will be using the latest AWS security policies.
To remediate the ELBs Must Use Latest AWS Security Policies misconfiguration for AWS using Python, you can follow these steps:
  1. First, make sure you have the AWS SDK for Python (Boto3) installed and configured on your local machine.
  2. Next, you need to identify the ELBs that are not using the latest AWS security policies. You can do this by using the describe_load_balancers method of the boto3.client('elbv2') object. This method returns a list of all the load balancers in your account.
  3. For each load balancer, you need to check if it is using the latest AWS security policy. You can do this by using the describe_load_balancer_attributes method of the boto3.client('elbv2') object. This method returns a dictionary of the load balancer attributes.
  4. Check if the load balancer is using the latest security policy by looking for the ssl_policy attribute in the dictionary. If the value of this attribute is not ELBSecurityPolicy-2016-08, then the load balancer is not using the latest security policy.
  5. To update the load balancer to use the latest security policy, you can use the modify_load_balancer_attributes method of the boto3.client('elbv2') object. You need to set the ssl_policy attribute to ELBSecurityPolicy-2016-08.
Here’s the Python code to remediate the ELBs Must Use Latest AWS Security Policies misconfiguration:
import boto3

# create an ELB client object
elbv2 = boto3.client('elbv2')

# get a list of all the load balancers in your account
load_balancers = elbv2.describe_load_balancers()

# iterate through each load balancer
for lb in load_balancers['LoadBalancers']:
    # get the load balancer attributes
    lb_attributes = elbv2.describe_load_balancer_attributes(LoadBalancerArn=lb['LoadBalancerArn'])
    
    # check if the load balancer is using the latest security policy
    if lb_attributes['Attributes']['SslPolicy'] != 'ELBSecurityPolicy-2016-08':
        # update the load balancer to use the latest security policy
        elbv2.modify_load_balancer_attributes(
            LoadBalancerArn=lb['LoadBalancerArn'],
            Attributes=[
                {
                    'Key': 'ssl_policy',
                    'Value': 'ELBSecurityPolicy-2016-08'
                },
            ]
        )
Note: This code only updates the ELBs that are not using the latest AWS security policies. If all your ELBs are already using the latest security policy, then this code will not make any changes.

Additional Reading:

I