ELBs Must Use Latest AWS Security Policies

More Info:

Elastic Load Balancers should be using the latest AWS predefined security policies.

Risk Level

Medium

Address

Security

Compliance Standards

AWSWAF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “ELBs Must Use Latest AWS Security Policies” for AWS using AWS CLI, follow the below steps:

Check the current security policy of the ELB using the following command:

aws elb describe-load-balancers --load-balancer-names <ELB_Name> --query "LoadBalancerDescriptions[].PolicyNames[]"

Check the latest security policy available using the following command:

aws elb describe-load-balancer-policies --policy-names AWSConsole-SSLNegotiationPolicy-2016-08

Create a new policy using the latest security policy available using the following command:

aws elb create-load-balancer-policy --load-balancer-name <ELB_Name> --policy-name AWSConsole-SSLNegotiationPolicy-2016-08 --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-TLS-1-2-2017-01

Apply the newly created policy to the ELB using the following command:

aws elb set-load-balancer-policies-for-backend-server --load-balancer-name <ELB_Name> --instance-port 443 --policy-names AWSConsole-SSLNegotiationPolicy-2016-08

Verify that the new policy is applied to the ELB using the following command:

aws elb describe-load-balancers --load-balancer-names <ELB_Name> --query "LoadBalancerDescriptions[].PolicyNames[]"

After following these steps, the ELB will be using the latest AWS security policies.

Using Python

To remediate the ELBs Must Use Latest AWS Security Policies misconfiguration for AWS using Python, you can follow these steps:

First, make sure you have the AWS SDK for Python (Boto3) installed and configured on your local machine.
Next, you need to identify the ELBs that are not using the latest AWS security policies. You can do this by using the describe_load_balancers method of the boto3.client('elbv2') object. This method returns a list of all the load balancers in your account.
For each load balancer, you need to check if it is using the latest AWS security policy. You can do this by using the describe_load_balancer_attributes method of the boto3.client('elbv2') object. This method returns a dictionary of the load balancer attributes.
Check if the load balancer is using the latest security policy by looking for the ssl_policy attribute in the dictionary. If the value of this attribute is not ELBSecurityPolicy-2016-08, then the load balancer is not using the latest security policy.
To update the load balancer to use the latest security policy, you can use the modify_load_balancer_attributes method of the boto3.client('elbv2') object. You need to set the ssl_policy attribute to ELBSecurityPolicy-2016-08.

Here’s the Python code to remediate the ELBs Must Use Latest AWS Security Policies misconfiguration:

import boto3

# create an ELB client object
elbv2 = boto3.client('elbv2')

# get a list of all the load balancers in your account
load_balancers = elbv2.describe_load_balancers()

# iterate through each load balancer
for lb in load_balancers['LoadBalancers']:
    # get the load balancer attributes
    lb_attributes = elbv2.describe_load_balancer_attributes(LoadBalancerArn=lb['LoadBalancerArn'])
    
    # check if the load balancer is using the latest security policy
    if lb_attributes['Attributes']['SslPolicy'] != 'ELBSecurityPolicy-2016-08':
        # update the load balancer to use the latest security policy
        elbv2.modify_load_balancer_attributes(
            LoadBalancerArn=lb['LoadBalancerArn'],
            Attributes=[
                {
                    'Key': 'ssl_policy',
                    'Value': 'ELBSecurityPolicy-2016-08'
                },
            ]
        )

Note: This code only updates the ELBs that are not using the latest AWS security policies. If all your ELBs are already using the latest security policy, then this code will not make any changes.

Additional Reading:

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

ELBs Must Use Latest AWS Security Policies

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: