ELB Using Weak Ciphers

  • Query id: a507daa5-0795-4380-960b-dd7bb7c56661
  • Query name: ELB Using Weak Ciphers
  • Platform: Crossplane
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: Listener
metadata:
  name: test-listener
spec:
  forProvider:
    region: us-east-1
    defaultActions:
      - actionType: forward
        forwardConfig:
          targetGroups:
            - targetGroupArnRef:
                name: test-targetgroup
    loadBalancerArnRef:
      name: test-loadbalancer
    port: 80
    protocol: HTTP
    sslPolicy: TLS_NULL_WITH_NULL_NULL
  providerConfigRef:
    name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: elbv2.aws.crossplane.io/v1alpha1
        kind: Listener
        metadata:
          name: test-listener2
        spec:
          forProvider:
            region: us-east-1
            defaultActions:
              - actionType: forward
                forwardConfig:
                  targetGroups:
                    - targetGroupArnRef:
                        name: test-targetgroup
            loadBalancerArnRef:
              name: test-loadbalancer
            port: 80
            protocol: HTTP
            sslPolicy: TLS_NULL_WITH_NULL_NULL
          providerConfigRef:
            name: example

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: Listener
metadata:
  name: test-listener
spec:
  forProvider:
    region: us-east-1
    defaultActions:
      - actionType: forward
        forwardConfig:
          targetGroups:
            - targetGroupArnRef:
                name: test-targetgroup
    loadBalancerArnRef:
      name: test-loadbalancer
    port: 80
    protocol: HTTP
    sslPolicy: ELBSecurityPolicy-2015-05
  providerConfigRef:
    name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: elbv2.aws.crossplane.io/v1alpha1
        kind: Listener
        metadata:
          name: test-listener2
        spec:
          forProvider:
            region: us-east-1
            defaultActions:
              - actionType: forward
                forwardConfig:
                  targetGroups:
                    - targetGroupArnRef:
                        name: test-targetgroup
            loadBalancerArnRef:
              name: test-loadbalancer
            port: 80
            protocol: HTTP
            sslPolicy: ELBSecurityPolicy-2015-05
          providerConfigRef:
            name: example