Skip to main content

More Info:

Your Amazon ALBs should be using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.

Risk Level

Medium

Address

Security

Compliance Standards

AWSWAF, HIPAA, GDPR, NIST

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration of ALBs not having latest SSL/TLS configurations in AWS:
  1. Login to your AWS Management Console.
  2. Navigate to the EC2 dashboard.
  3. Click on the “Load Balancers” option under the “LOAD BALANCING” section in the left-hand menu.
  4. Select the ALB that you want to remediate and click on its name to open its configuration page.
  5. Click on the “Listeners” tab in the ALB configuration page.
  6. Click on the “Edit” button next to the listener that you want to update the SSL/TLS configuration for.
  7. In the “Edit Listener” dialog box, select the “HTTPS” protocol.
  8. Under the “SSL/TLS certificates” section, select the certificate that you want to use for the listener.
  9. Under the “Security policy” section, select the latest SSL/TLS policy that is available in the drop-down list.
  10. Click on the “Save” button to save the changes.
After following these steps, your ALB will have the latest SSL/TLS configurations.

To remediate this misconfiguration for AWS using AWS CLI, you can follow the below steps:
  1. Check the current SSL/TLS configuration of your Application Load Balancer (ALB) using the following AWS CLI command:
aws elbv2 describe-load-balancers --load-balancer-arns <your-alb-arn> --query "LoadBalancers[].{Name:LoadBalancerName, Scheme:Scheme, SecurityGroups:SecurityGroups, SSLPolicy:SSLPolicy}"
Note: Replace <your-alb-arn> with the ARN of your ALB.
  1. Identify the latest SSL/TLS configuration that you want to apply to your ALB. You can refer to the AWS documentation to find the latest SSL/TLS configurations supported by ALBs.
  2. Update the SSL/TLS configuration of your ALB using the following AWS CLI command: 
aws elbv2 modify-listener --listener-arn <your-listener-arn> --ssl-policy <your-ssl-policy>
Note: Replace <your-listener-arn> with the ARN of your listener and <your-ssl-policy> with the name of the SSL/TLS policy that you want to apply.
  1. Verify the SSL/TLS configuration of your ALB using the following AWS CLI command:
aws elbv2 describe-listeners --listener-arns <your-listener-arn> --query "Listeners[].{Protocol:Protocol, Port:Port, SSLPolicy:SSLPolicy}"
Note: Replace <your-listener-arn> with the ARN of your listener.
  1. Repeat steps 1-4 for all your ALBs to ensure that they have the latest SSL/TLS configurations.
Note: Make sure to test your application after updating the SSL/TLS configuration of your ALB to ensure that it is working as expected.
To remediate the misconfiguration of ALBs not having the latest SSL/TLS configurations in AWS using Python, you can follow the below steps:
  1. Install the required Python libraries: boto3 and botocore. You can install them using the following command:
pip install boto3 botocore
  1. Create a boto3 client for AWS Application Load Balancer (ALB) using the following code:
import boto3

elbv2 = boto3.client('elbv2')
  1. Get the list of all the existing ALBs using the following code:
response = elbv2.describe_load_balancers()
load_balancers = response['LoadBalancers']
  1. Loop through all the ALBs and check if they are using the latest SSL/TLS configurations. You can use the following code to check if the ALB is using the latest SSL/TLS configurations:
for lb in load_balancers:
    arn = lb['LoadBalancerArn']
    response = elbv2.describe_listeners(LoadBalancerArn=arn)
    listeners = response['Listeners']
    for listener in listeners:
        if listener['Protocol'] == 'HTTPS':
            ssl_policy = listener.get('SslPolicy')
            if ssl_policy != 'ELBSecurityPolicy-TLS-1-2-2017-01':
                # Update the SSL/TLS configuration
                elbv2.modify_listener(
                    ListenerArn=listener['ListenerArn'],
                    SslPolicy='ELBSecurityPolicy-TLS-1-2-2017-01'
                )
  1. The above code will update the SSL/TLS configuration of the ALB to the latest one if it is not already using it.
  2. You can schedule this Python script to run periodically to ensure that all the ALBs are using the latest SSL/TLS configurations.

Additional Reading: