ELB Using Weak Ciphers
- Query id: 809f77f8-d10e-4842-a84f-3be7b6ff1190
- Query name: ELB Using Weak Ciphers
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
Resources:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-2a"
CrossZone: true
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '443'
Protocol: HTTPS
PolicyNames:
- My-SSLNegotiation-Policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '2'
UnhealthyThreshold: '3'
Interval: '10'
Timeout: '5'
Policies:
- PolicyName: My-SSLNegotiation-Policy
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: TLS_RSA_NULL_SHA1
Value: ELBSecurityPolicy-TLS-1-2-2017-01
- Name: DHE-DSS-DES-CBC3-SHA
Value: ELBSecurityPolicy-TLS-1-2-2017-01
- PolicyName: My-SSLNegotiation-Policy2
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: TLS_DHE_PSK_WITH_NULL_SHA256
Value: ELBSecurityPolicy-TLS-1-2-2017-01
Positive test num. 2 - json file
{
"Resources": {
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": [
"us-east-2a"
],
"CrossZone": true,
"Listeners": [
{
"InstancePort": "80",
"InstanceProtocol": "HTTP",
"LoadBalancerPort": "443",
"Protocol": "HTTPS",
"PolicyNames": [
"My-SSLNegotiation-Policy"
],
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate"
}
],
"HealthCheck": {
"Target": "HTTP:80/",
"HealthyThreshold": "2",
"UnhealthyThreshold": "3",
"Interval": "10",
"Timeout": "5"
},
"Policies": [
{
"PolicyName": "My-SSLNegotiation-Policy",
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [
{
"Name": "TLS_RSA_NULL_SHA1",
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
},
{
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01",
"Name": "DHE-DSS-DES-CBC3-SHA"
}
]
},
{
"PolicyName": "My-SSLNegotiation-Policy2",
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [
{
"Name": "TLS_DHE_PSK_WITH_NULL_SHA256",
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
}
]
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-2a"
CrossZone: true
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '443'
Protocol: HTTPS
PolicyNames:
- My-SSLNegotiation-Policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '2'
UnhealthyThreshold: '3'
Interval: '10'
Timeout: '5'
Policies:
- PolicyName: My-SSLNegotiation-Policy
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Reference-Security-Policy
Value: ELBSecurityPolicy-TLS-1-2-2017-01
Negative test num. 2 - json file
{
"Resources": {
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": [
"us-east-2a"
],
"CrossZone": true,
"Listeners": [
{
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
"InstancePort": "80",
"InstanceProtocol": "HTTP",
"LoadBalancerPort": "443",
"Protocol": "HTTPS",
"PolicyNames": [
"My-SSLNegotiation-Policy"
]
}
],
"HealthCheck": {
"HealthyThreshold": "2",
"UnhealthyThreshold": "3",
"Interval": "10",
"Timeout": "5",
"Target": "HTTP:80/"
},
"Policies": [
{
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [
{
"Name": "Reference-Security-Policy",
"Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
}
],
"PolicyName": "My-SSLNegotiation-Policy"
}
]
}
}
}
}