Latest AWS Security Policy for SSL Negotiations Should Be Used For App-Tier ELBs

More Info:

Your app-tier Elastic Load Balancers (ELBs) listeners should be using the latest AWS security policy for their SSL negotiation configuration.

Risk Level

Medium

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of using the latest AWS Security Policy for SSL negotiations for App-Tier ELBs in AWS using AWS CLI, follow these steps:

Open your AWS CLI on your local machine or EC2 instance.
Run the following command to get the current SSL policy for your App-Tier ELB:
```
aws elb describe-load-balancers --load-balancer-name <your-ELB-name> --query "LoadBalancerDescriptions[].ListenerDescriptions[].PolicyNames[]"
```
Replace <your-ELB-name> with the name of your App-Tier ELB.
If the output includes any SSL policies other than the latest AWS Security Policy, you need to update the SSL policy. Run the following command to update the SSL policy for your App-Tier ELB:
```
aws elb set-load-balancer-policies-of-listener --load-balancer-name <your-ELB-name> --load-balancer-port 443 --policy-names ELBSecurityPolicy-2016-08
```
Replace <your-ELB-name> with the name of your App-Tier ELB.
Verify that the SSL policy has been updated by running the command in step 2 again.
Repeat steps 2-4 for all App-Tier ELBs in your AWS environment.

By following these steps, you can remediate the misconfiguration of using the latest AWS Security Policy for SSL negotiations for App-Tier ELBs in AWS using AWS CLI.

Using Python

To remediate the misconfiguration “Latest AWS Security Policy for SSL Negotiations Should Be Used For App-Tier ELBs” in AWS using Python, follow the steps below:

Import the necessary AWS libraries and modules:

import boto3
from botocore.exceptions import ClientError

Create an ELB client object:

elb_client = boto3.client('elbv2')

Get a list of all the existing load balancers:

response = elb_client.describe_load_balancers()
load_balancers = response['LoadBalancers']

Loop through the list of load balancers and check if they are application tier ELBs:

for lb in load_balancers:
    if lb['Type'] == 'application':
        # Do something

Once you have identified the application tier ELBs, update their SSL policy to use the latest AWS security policy:

try:
    response = elb_client.set_security_groups(
        LoadBalancerArn=lb['LoadBalancerArn'],
        SecurityGroups=[
            'security_group_id'
        ]
    )
except ClientError as e:
    print(e)

Replace 'security_group_id' with the ID of the security group that you want to associate with the ELB.
Finally, run the Python script to remediate the misconfiguration.

Additional Reading:

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Latest AWS Security Policy for SSL Negotiations Should Be Used For App-Tier ELBs

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: