Load balancer is using insecure TLS policy
ID |
lb_use_tls |
Severity |
critical |
Vendor |
AWS |
Resource |
Networking |
Tags |
reachable |
Description
A listener in an AWS Load Balancer is a process that checks for connection requests. Users can define a listener when creating a load balancer, and add listeners to the load balancer at any time.
Application load balancers typically use HTTP
or HTTPS
protocols. The detector ignores network requests/gateway load balancers except those configured with protocol = TLS
An HTTPS listener enables traffic encryption between your load balancer and the clients that initiate SSL or TLS sessions. It is important to configure an appropriate security policy for HTTPS / TLS connections, like ELBSecurityPolicy-TLS-1-2
.
You can use one of the ELBSecurityPolicy-FS
policies if you require Forward Secrecy (FS). You can use one of the ELBSecurityPolicy-TLS
policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers. Most modern TLS clients already support TLS v1.2 and ciphers supporting forward secrecy.
The detector will report a flaw when the ssl_policy
does not match one of the allowed policies configured.
For HTTP listeners, the detector checks that the default action is a redirect to HTTPS. If not, a flaw is also reported.
For full details on the supported security policies and which TLS versions and ciphers each policy admits, read AWS' Create an HTTPS listener for your Application Load Balancer. See also Terraform’s reference for aws_lb_listener
Examples
CloudFormation
{
"Resources": {
"ListenerHTTPSPASSED": { (1)
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"LoadBalancerArn": {
"Ref": "ApplicationLoadBalancer"
},
"Port": 443,
"Protocol": "HTTPS",
"Certificates": [
{
"CertificateArn": "test-cert"
}
]
}
}
}
}
1 | Missing means that Load Balancer Listener is not using at least TLS v1.2. |
Resources:
ListenerHTTPS: (1)
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 443
Protocol: HTTPS
Certificates:
- CertificateArn: test-cert
1 | Missing means that Load Balancer Listener is not using at least TLS v1.2. |
Terraform
resource "aws_lb_listener" "tls" {
load_balancer_arn = var.aws_lb_arn
protocol = "TLS"
port = "443"
ssl_policy = "ELBSecurityPolicy-TLS-1-1-2019-08" (1)
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}
1 | This policy is deemed insecure. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"ListenerHTTPSPASSED": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"LoadBalancerArn": {
"Ref": "ApplicationLoadBalancer"
},
"Port": 443,
"Protocol": "HTTPS",
"Certificates": [
{
"CertificateArn": "test-cert"
}
],
"SslPolicy": "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" (1)
}
}
}
}
1 | SslPolicy set to ELBSecurityPolicy-TLS-1-2-Ext-2018-06 means that Load Balancer Listener is using at least TLS v1.2. |
Resources:
ListenerHTTPS:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 443
Protocol: HTTPS
Certificates:
- CertificateArn: test-cert
SslPolicy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06 (1)
1 | SslPolicy set to ELBSecurityPolicy-TLS-1-2-Ext-2018-06 means that Load Balancer Listener is using at least TLS v1.2. |
Terraform
resource "aws_alb_listener" "https_tls_1_2" {
load_balancer_arn = var.aws_lb_arn
protocol = "TLS"
port = "443"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-Res-2019-08" // FIXED
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = var.aws_lb_target_group_arn
}
}