ELB Using Weak Ciphers

  • Query id: 809f77f8-d10e-4842-a84f-3be7b6ff1190
  • Query name: ELB Using Weak Ciphers
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
Resources:
    MyLoadBalancer:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
          AvailabilityZones:
          - "us-east-2a"
          CrossZone: true
          Listeners:
          - InstancePort: '80'
            InstanceProtocol: HTTP
            LoadBalancerPort: '443'
            Protocol: HTTPS
            PolicyNames:
            - My-SSLNegotiation-Policy
            SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
          HealthCheck:
            Target: HTTP:80/
            HealthyThreshold: '2'
            UnhealthyThreshold: '3'
            Interval: '10'
            Timeout: '5'
          Policies:
          - PolicyName: My-SSLNegotiation-Policy
            PolicyType: SSLNegotiationPolicyType
            Attributes:
            - Name: TLS_RSA_NULL_SHA1
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
            - Name: DHE-DSS-DES-CBC3-SHA
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
          - PolicyName: My-SSLNegotiation-Policy2
            PolicyType: SSLNegotiationPolicyType
            Attributes:
            - Name: TLS_DHE_PSK_WITH_NULL_SHA256
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
Positive test num. 2 - json file
{
  "Resources": {
    "MyLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties": {
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true,
        "Listeners": [
          {
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate"
          }
        ],
        "HealthCheck": {
          "Target": "HTTP:80/",
          "HealthyThreshold": "2",
          "UnhealthyThreshold": "3",
          "Interval": "10",
          "Timeout": "5"
        },
        "Policies": [
          {
            "PolicyName": "My-SSLNegotiation-Policy",
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "TLS_RSA_NULL_SHA1",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              },
              {
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01",
                "Name": "DHE-DSS-DES-CBC3-SHA"
              }
            ]
          },
          {
            "PolicyName": "My-SSLNegotiation-Policy2",
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "TLS_DHE_PSK_WITH_NULL_SHA256",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ]
          }
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
    MyLoadBalancer:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
          AvailabilityZones:
          - "us-east-2a"
          CrossZone: true
          Listeners:
          - InstancePort: '80'
            InstanceProtocol: HTTP
            LoadBalancerPort: '443'
            Protocol: HTTPS
            PolicyNames:
            - My-SSLNegotiation-Policy
            SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
          HealthCheck:
            Target: HTTP:80/
            HealthyThreshold: '2'
            UnhealthyThreshold: '3'
            Interval: '10'
            Timeout: '5'
          Policies:
          - PolicyName: My-SSLNegotiation-Policy
            PolicyType: SSLNegotiationPolicyType
            Attributes:
            - Name: Reference-Security-Policy
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
Negative test num. 2 - json file
{
  "Resources": {
    "MyLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties": {
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true,
        "Listeners": [
          {
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ]
          }
        ],
        "HealthCheck": {
          "HealthyThreshold": "2",
          "UnhealthyThreshold": "3",
          "Interval": "10",
          "Timeout": "5",
          "Target": "HTTP:80/"
        },
        "Policies": [
          {
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ],
            "PolicyName": "My-SSLNegotiation-Policy"
          }
        ]
      }
    }
  }
}