More Info:
Insecure ciphers on ELBs should be checked. Various security vulnerabilities have rendered several ciphers insecure. Only the recommended ciphers should be used.Risk Level
LowAddress
SecurityCompliance Standards
AWSWAFTriage and Remediation
Remediation
Using Console
Using Console
To remediate the issue of ELBs having insecure ciphers in AWS, please follow the below steps:
- Login to the AWS Management Console.
- Go to the EC2 Dashboard.
- Select the Load Balancers option from the left-hand menu.
- Choose the Load Balancer that you want to remediate.
- Click on the Listeners tab.
- Select the listener that you want to remediate.
- Click on the Edit button.
- In the Edit Listener dialog box, click on the Add button to add a new protocol.
- Select HTTPS from the Protocol drop-down menu.
- Select the SSL certificate from the SSL certificate drop-down menu.
- Click on the Add button.
- In the SSL Policy drop-down menu, select a secure SSL policy such as ELBSecurityPolicy-2016-08.
- Uncheck the insecure ciphers such as RC4 and SSLv3.
- Click on the Save button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration “ELBs Should Not Have Insecure Ciphers” for AWS using AWS CLI, follow these steps:Replace
- Identify the insecure ciphers being used by the ELB. You can use the following command to get a list of ciphers being used by your ELB:
- Once you have identified the insecure ciphers, you need to update the security policy of the ELB to disable these ciphers. You can use the following command to update the security policy of the ELB:
<ELB_NAME> with the name of your ELB and <POLICY_NAME> with the name of the security policy that you want to apply. You can find a list of available security policies in the AWS documentation.- After updating the security policy, you should verify that the insecure ciphers have been disabled. You can use the same command as in step 1 to check the ciphers being used by the ELB.
- Finally, you should test your ELB to ensure that it is still functioning as expected after disabling the insecure ciphers.
Using Python
Using Python
To remediate the issue of ELBs having insecure ciphers in AWS using python, you can follow these steps:
-
First, you need to identify the ELBs that have insecure ciphers. You can do this by using the AWS CLI command:
This command will list all the ELBs that have policies attached to their listeners.
-
Once you have identified the ELBs with insecure ciphers, you can use the AWS CLI command to list the policies attached to each listener:
This command will list the policies attached to the specified ELB.
-
You can then use the AWS CLI command to delete the policies that have insecure ciphers:
This command will delete the specified policy from the ELB.
-
Finally, you can use the AWS CLI command to update the listeners of the ELB to use secure ciphers:
This command will create a new policy for the ELB that uses secure ciphers.
- Repeat steps 2-4 for all the ELBs with insecure ciphers to remediate the issue.