Skip to main content

More Info:

Your app-tier Elastic Load Balancers (ELBs) listeners should be using the latest AWS security policy for their SSL negotiation configuration.

Risk Level

Medium

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration “Latest AWS Security Policy for SSL Negotiations Should Be Used For App-Tier ELBs” in AWS using the AWS console, follow these steps:
  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 dashboard.
  3. Click on the “Load Balancers” link in the left-hand navigation menu.
  4. Select the App-Tier ELB that needs remediation.
  5. Click on the “Listeners” tab.
  6. Select the HTTPS listener that needs remediation.
  7. Click on the “Edit” button.
  8. In the “Edit Listener” dialog box, select the latest AWS Security Policy from the “Security policy” drop-down menu.
  9. Click the “Save” button to save the changes.
Once the above steps are completed, the App-Tier ELB will be configured to use the latest AWS Security Policy for SSL negotiations.

To remediate the misconfiguration of using the latest AWS Security Policy for SSL negotiations for App-Tier ELBs in AWS using AWS CLI, follow these steps:
  1. Open your AWS CLI on your local machine or EC2 instance.
  2. Run the following command to get the current SSL policy for your App-Tier ELB: 
    aws elb describe-load-balancers --load-balancer-name <your-ELB-name> --query "LoadBalancerDescriptions[].ListenerDescriptions[].PolicyNames[]"
    Replace <your-ELB-name> with the name of your App-Tier ELB.
  3. If the output includes any SSL policies other than the latest AWS Security Policy, you need to update the SSL policy. Run the following command to update the SSL policy for your App-Tier ELB: 
    aws elb set-load-balancer-policies-of-listener --load-balancer-name <your-ELB-name> --load-balancer-port 443 --policy-names ELBSecurityPolicy-2016-08
    Replace <your-ELB-name> with the name of your App-Tier ELB.
  4. Verify that the SSL policy has been updated by running the command in step 2 again.
  5. Repeat steps 2-4 for all App-Tier ELBs in your AWS environment.
By following these steps, you can remediate the misconfiguration of using the latest AWS Security Policy for SSL negotiations for App-Tier ELBs in AWS using AWS CLI.
To remediate the misconfiguration “Latest AWS Security Policy for SSL Negotiations Should Be Used For App-Tier ELBs” in AWS using Python, follow the steps below:
  1. Import the necessary AWS libraries and modules:
import boto3
from botocore.exceptions import ClientError
  1. Create an ELB client object:
elb_client = boto3.client('elbv2')
  1. Get a list of all the existing load balancers:
response = elb_client.describe_load_balancers()
load_balancers = response['LoadBalancers']
  1. Loop through the list of load balancers and check if they are application tier ELBs:
for lb in load_balancers:
    if lb['Type'] == 'application':
        # Do something
  1. Once you have identified the application tier ELBs, update their SSL policy to use the latest AWS security policy:
try:
    response = elb_client.set_security_groups(
        LoadBalancerArn=lb['LoadBalancerArn'],
        SecurityGroups=[
            'security_group_id'
        ]
    )
except ClientError as e:
    print(e)
  1. Replace 'security_group_id' with the ID of the security group that you want to associate with the ELB.
  2. Finally, run the Python script to remediate the misconfiguration.

Additional Reading:

I