Skip to main content

More Info:

Your web-tier Elastic Load Balancers (ELBs) listeners should be using the latest AWS security policy for their SSL negotiation configuration

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, GDPR, NIST, AWSWAF

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration “Latest AWS Security Policy for SSL Negotiations Should Be Used For Web-Tier ELBs” for AWS using the AWS console, follow the below steps:
  1. Log in to your AWS console and navigate to the EC2 dashboard.
  2. Click on the “Load Balancers” option from the left-hand menu.
  3. Select the web-tier ELB that you want to remediate and click on it.
  4. Click on the “Listeners” tab and select the listener that is using SSL.
  5. In the “SSL Certificate” section, select “Change” and choose the “AWS Managed Certificate” option.
  6. Choose the latest AWS security policy for SSL negotiations from the dropdown menu and click on “Save”.
After following these steps, your web-tier ELB will be configured to use the latest AWS security policy for SSL negotiations. This will ensure that your SSL connections are secure and protected against potential threats.

To remediate this issue for AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to get the load balancer security policy names: 
aws elb describe-load-balancer-policies --load-balancer-name <ELB_NAME>
Replace <ELB_NAME> with the name of your load balancer.
  1. Identify the security policy that is currently in use for the load balancer. The security policy should be named ELBSecurityPolicy-2016-08 or later.
  2. If the load balancer is using an older security policy, run the following command to update it: 
aws elb set-load-balancer-policies-for-backend-server --load-balancer-name <ELB_NAME> --policy-names <NEW_POLICY_NAME>
Replace <ELB_NAME> with the name of your load balancer and <NEW_POLICY_NAME> with the name of the latest AWS security policy. The latest security policy name can be found in the AWS documentation.
  1. Verify that the new security policy is in use by running the following command:
aws elb describe-load-balancer-attributes --load-balancer-name <ELB_NAME>
Replace <ELB_NAME> with the name of your load balancer. The command should return a JSON object that includes the new security policy name.
  1. Once you have verified that the new security policy is in use, you have successfully remediated the misconfiguration.
To remediate the misconfiguration “Latest AWS Security Policy for SSL Negotiations Should Be Used For Web-Tier ELBs” in AWS using Python, you can follow the below steps:
  1. Import the required libraries:
import boto3
  1. Create a boto3 client for Elastic Load Balancing:
elb_client = boto3.client('elbv2')
  1. Get a list of all the load balancers:
load_balancers = elb_client.describe_load_balancers()
  1. Loop through each load balancer and check if it is a web-tier ELB:
for load_balancer in load_balancers['LoadBalancers']:
    if 'web' in load_balancer['LoadBalancerName']:
  1. If the load balancer is a web-tier ELB, update its SSL policy:
elb_client.modify_load_balancer_attributes(
    LoadBalancerArn=load_balancer['LoadBalancerArn'],
    Attributes=[
        {
            'Key': 'ssl_policy',
            'Value': 'ELBSecurityPolicy-TLS-1-2-Ext-2018-06'
        },
    ]
)
  1. The SSL policy ELBSecurityPolicy-TLS-1-2-Ext-2018-06 is the latest AWS security policy for SSL negotiations. You can modify the code to use a different SSL policy if required.
  2. Finally, you can add this code to a script and run it periodically to ensure that all web-tier ELBs are using the latest AWS security policy for SSL negotiations.

Additional Reading:

I