Load balancer is using insecure TLS policy

ID

lb_use_tls

Severity

critical

Vendor

AWS

Resource

Networking

Tags

reachable

Description

A listener in an AWS Load Balancer is a process that checks for connection requests. Users can define a listener when creating a load balancer, and add listeners to the load balancer at any time.

Application load balancers typically use HTTP or HTTPS protocols. The detector ignores network requests/gateway load balancers except those configured with protocol = TLS

An HTTPS listener enables traffic encryption between your load balancer and the clients that initiate SSL or TLS sessions. It is important to configure an appropriate security policy for HTTPS / TLS connections, like ELBSecurityPolicy-TLS-1-2.

You can use one of the ELBSecurityPolicy-FS policies if you require Forward Secrecy (FS). You can use one of the ELBSecurityPolicy-TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers. Most modern TLS clients already support TLS v1.2 and ciphers supporting forward secrecy.

The detector will report a flaw when the ssl_policy does not match one of the allowed policies configured.

For HTTP listeners, the detector checks that the default action is a redirect to HTTPS. If not, a flaw is also reported.

For full details on the supported security policies and which TLS versions and ciphers each policy admits, read AWS' Create an HTTPS listener for your Application Load Balancer. See also Terraform’s reference for aws_lb_listener

Examples

CloudFormation

{
  "Resources": {
    "ListenerHTTPSPASSED": { (1)
      "Type": "AWS::ElasticLoadBalancingV2::Listener",
      "Properties": {
        "LoadBalancerArn": {
          "Ref": "ApplicationLoadBalancer"
        },
        "Port": 443,
        "Protocol": "HTTPS",
        "Certificates": [
          {
            "CertificateArn": "test-cert"
          }
        ]
      }
    }
  }
}
1 Missing means that Load Balancer Listener is not using at least TLS v1.2.
Resources:
  ListenerHTTPS: (1)
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref ApplicationLoadBalancer
      Port: 443
      Protocol: HTTPS
      Certificates:
        - CertificateArn: test-cert
1 Missing means that Load Balancer Listener is not using at least TLS v1.2.

Terraform

resource "aws_lb_listener" "tls" {
  load_balancer_arn = var.aws_lb_arn
  protocol          = "TLS"
  port              = "443"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-1-2019-08" (1)
  certificate_arn   = var.certificate_arn

  default_action {
    type             = "forward"
    target_group_arn = var.aws_lb_target_group_arn
  }
}
1 This policy is deemed insecure.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "ListenerHTTPSPASSED": {
      "Type": "AWS::ElasticLoadBalancingV2::Listener",
      "Properties": {
        "LoadBalancerArn": {
          "Ref": "ApplicationLoadBalancer"
        },
        "Port": 443,
        "Protocol": "HTTPS",
        "Certificates": [
          {
            "CertificateArn": "test-cert"
          }
        ],
        "SslPolicy": "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" (1)
      }
    }
  }
}
1 SslPolicy set to ELBSecurityPolicy-TLS-1-2-Ext-2018-06 means that Load Balancer Listener is using at least TLS v1.2.
Resources:
  ListenerHTTPS:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref ApplicationLoadBalancer
      Port: 443
      Protocol: HTTPS
      Certificates:
        - CertificateArn: test-cert
      SslPolicy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06 (1)
1 SslPolicy set to ELBSecurityPolicy-TLS-1-2-Ext-2018-06 means that Load Balancer Listener is using at least TLS v1.2.

Terraform

resource "aws_alb_listener" "https_tls_1_2" {
  load_balancer_arn = var.aws_lb_arn
  protocol          = "TLS"
  port              = "443"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-Res-2019-08" // FIXED
  certificate_arn   = var.certificate_arn

  default_action {
    type             = "forward"
    target_group_arn = var.aws_lb_target_group_arn
  }
}