ELB Without Secure Protocol

Query id: 80908a75-586b-4c61-ab04-490f4f4525b8
Query name: ELB Without Secure Protocol
Platform: CloudFormation
Severity: Medium
Category: Encryption
URL: Github

Description¶

Check if the ELB is setup with SSL or HTTPS for secure communication
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

< Re

Positive test num. 2 - json file

/span>

#this is a problematic code where the query should report a result(s) sources: MyLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - "us-east-2a" CrossZone: true Listeners: - InstancePort: '80' class="w">            InstanceProtocol: HTTP LoadBalancerPort: '443' class="w">            Protocol: HTTP PolicyNames: - My-SSLNegotiation-Policy SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate HealthCheck: Target: HTTP:80/ HealthyThreshold: '2' UnhealthyThreshold: '3' Interval: '10' Timeout: '5' Policies: - PolicyName: My-SSLNegotiation-Policy PolicyType: SSLNegotiationPolicyType Attributes: - Name: Reference-Security-Policy Value: ELBSecurityPolicy-TLS-1-2-2017-01 /span>{ "Resources": { "MyLoadBalancer": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": { "Listeners": [ { "InstancePort": "80", class="w">            "InstanceProtocol": "HTTP", "LoadBalancerPort": "443", class="w">            "Protocol": "HTTP", "PolicyNames": [ "My-SSLNegotiation-Policy" ], "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate" } ], "HealthCheck": { "Target": "HTTP:80/", "HealthyThreshold": "2", "UnhealthyThreshold": "3", "Interval": "10", "Timeout": "5" }, "Policies": [ { "PolicyName": "My-SSLNegotiation-Policy", "PolicyType": "SSLNegotiationPolicyType", "Attributes": [ { "Name": "Reference-Security-Policy", "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" } ] } ], "AvailabilityZones": [ "us-east-2a" ], "CrossZone": true } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file#this code is a correct code for which the query should not find any result
Resources:
    MyLoadBalancer1:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
          AvailabilityZones:
          - "us-east-2a"
          CrossZone: true
          Listeners:
          - InstancePort: '80'
            InstanceProtocol: HTTPS
            LoadBalancerPort: '443'
            Protocol: HTTPS
            PolicyNames:
            - My-SSLNegotiation-Policy
            SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
          HealthCheck:
            Target: HTTP:80/
            HealthyThreshold: '2'
            UnhealthyThreshold: '3'
            Interval: '10'
            Timeout: '5'
          Policies:
          - PolicyName: My-SSLNegotiation-Policy
            PolicyType: SSLNegotiationPolicyType
            Attributes:
            - Name: Reference-Security-Policy
              Value: ELBSecurityPolicy-TLS-1-2-2017-01

Negative test num. 2 - json file{
  "Resources": {
    "MyLoadBalancer1": {
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties": {
        "CrossZone": true,
        "Listeners": [
          {
            "InstancePort": "80",
            "InstanceProtocol": "HTTPS",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate"
          }
        ],
        "HealthCheck": {
          "Interval": "10",
          "Timeout": "5",
          "Target": "HTTP:80/",
          "HealthyThreshold": "2",
          "UnhealthyThreshold": "3"
        },
        "Policies": [
          {
            "PolicyName": "My-SSLNegotiation-Policy",
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ]
          }
        ],
        "AvailabilityZones": [
          "us-east-2a"
        ]
      }
    }
  }
}

Negative test num. 3 - yaml file#this code is a correct code for which the query should not find any result
Resources:
    MyLoadBalancer2:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
          AvailabilityZones:
          - "us-east-2a"
          CrossZone: true
          Listeners:
          - InstancePort: '9443'
            InstanceProtocol: SSL
            LoadBalancerPort: '443'
            Protocol: SSL
            PolicyNames:
            - My-SSLNegotiation-Policy
            SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
          Policies:
          - PolicyName: My-SSLNegotiation-Policy
            PolicyType: SSLNegotiationPolicyType
            Attributes:
            - Name: Reference-Security-Policy
              Value: ELBSecurityPolicy-TLS-1-2-2017-01

Negative test num. 4 - json file

{
  "Resources": {
    "MyLoadBalancer2": {
      "Properties": {
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true,
        "Listeners": [
          {
            "InstancePort": "9443",
            "InstanceProtocol": "SSL",
            "LoadBalancerPort": "443",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "Protocol": "SSL",
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate"
          }
        ],
        "Policies": [
          {
            "Attributes": [
              {
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ],
            "PolicyName": "My-SSLNegotiation-Policy",
            "PolicyType": "SSLNegotiationPolicyType"
          }
        ]
      },
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer"
    }
  }
}