ELB Using Insecure Protocols
- Query id: 61a94903-3cd3-4780-88ec-fc918819b9c8
- Query name: ELB Using Insecure Protocols
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
Resources:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-2a"
CrossZone: true
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '443'
Protocol: HTTPS
PolicyNames:
- My-SSLNegotiation-Policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '2'
UnhealthyThreshold: '3'
Interval: '10'
Timeout: '5'
Policies:
- PolicyName: My-SSLNegotiation-Policy
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Protocol-SSLv2
Value: ELBSecurityPolicy-TLS-1-2-2017-01
- Name: Reference-Security-Policy
Value: ELBSecurityPolicy-TLS-1-2-2017-01
- PolicyName: My-SSLNegotiation-Policy2
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Protocol-TLSv1
Value: ELBSecurityPolicy-TLS-1-2-2017-01
Positive test num. 2 - json file
{
"Resources": {
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": [
"us-east-2a"
],
"CrossZone": true,
"Listeners": [
{
"InstanceProtocol": "HTTP",
"LoadBalancerPort": "443",
"Protocol": "HTTPS",
"PolicyNames": [
"My-SSLNegotiation-Policy"
],
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
"InstancePort": "80"
}
],
"HealthCheck": {
"HealthyThreshold": "2",
"UnhealthyThreshold": "3",
"Interval": "10",
"Timeout": "5",
"Target": "HTTP:80/"
},
"Policies": [
{
"PolicyName": "My-SSLNegotiation-Policy",
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [
{
"Name": "Protocol-SSLv2",
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
},
{
"Name": "Reference-Security-Policy",
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
}
]
},
{
"PolicyName": "My-SSLNegotiation-Policy2",
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [
{
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01",
"Name": "Protocol-TLSv1"
}
]
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-2a"
CrossZone: true
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '443'
Protocol: HTTPS
PolicyNames:
- My-SSLNegotiation-Policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '2'
UnhealthyThreshold: '3'
Interval: '10'
Timeout: '5'
Policies:
- PolicyName: My-SSLNegotiation-Policy
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Reference-Security-Policy
Value: ELBSecurityPolicy-TLS-1-2-2017-01
Negative test num. 2 - json file
{
"Resources": {
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"HealthCheck": {
"Interval": "10",
"Timeout": "5",
"Target": "HTTP:80/",
"HealthyThreshold": "2",
"UnhealthyThreshold": "3"
},
"Policies": [
{
"PolicyName": "My-SSLNegotiation-Policy",
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [
{
"Name": "Reference-Security-Policy",
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
}
]
}
],
"AvailabilityZones": [
"us-east-2a"
],
"CrossZone": true,
"Listeners": [
{
"PolicyNames": [
"My-SSLNegotiation-Policy"
],
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
"InstancePort": "80",
"InstanceProtocol": "HTTP",
"LoadBalancerPort": "443",
"Protocol": "HTTPS"
}
]
}
}
}
}