NLBs Should Have Latest SSL/TLS Configurations

More Info:

Your Amazon Network Load Balancers (NLBs) should be using the latest recommended predefined security policy for TLS negotiation configuration in order to protect their front-end connections against TLS vulnerabilities and meet security requirements

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, AWSWAF, HIPAA, GDPR, NIST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate NLBs having the latest SSL/TLS configurations in AWS using AWS CLI, follow these steps:

Check the current SSL/TLS configuration of the NLB by running the following command:

aws elbv2 describe-load-balancers --load-balancer-arns <NLB-ARN> --query 'LoadBalancers[].{Name: LoadBalancerName, Scheme: Scheme, Type: Type, Protocol: Scheme, SecurityPolicy: SecurityPolicies}'

Replace <NLB-ARN> with the ARN of the NLB that you want to check.

Identify the latest SSL/TLS version that is supported by AWS by running the following command:

aws elbv2 describe-load-balancer-policies --query 'SslPolicies[].Name'

This command will return a list of SSL/TLS policies that are supported by AWS. Identify the latest policy that is suitable for your NLB.

Update the NLB with the latest SSL/TLS policy by running the following command:

aws elbv2 set-security-policies --load-balancer-arn <NLB-ARN> --security-policy-ids <Security-Policy-ID>

Replace <NLB-ARN> with the ARN of the NLB that you want to update, and <Security-Policy-ID> with the ID of the latest SSL/TLS policy that you identified in step 2.

Verify that the NLB now has the latest SSL/TLS policy by running the command in step 1 again.
Repeat the above steps for all NLBs in your AWS environment that need to be updated with the latest SSL/TLS configurations.

Using Python

To remediate the misconfiguration “NLBs Should Have Latest SSL/TLS Configurations” for AWS using Python, you can follow these steps:

Install the AWS SDK for Python (Boto3) using pip:

pip install boto3

Create a Boto3 client for the AWS Network Load Balancer (NLB) service:

import boto3

client = boto3.client('elbv2')

Get a list of all the NLBs in your AWS account:

response = client.describe_load_balancers()
nlbs = response['LoadBalancers']

For each NLB, check if it has the latest SSL/TLS configuration:

for nlb in nlbs:
    response = client.describe_listeners(
        LoadBalancerArn=nlb['LoadBalancerArn']
    )
    listeners = response['Listeners']
    for listener in listeners:
        if listener['Protocol'] == 'HTTPS':
            if listener['SslPolicy'] != 'ELBSecurityPolicy-TLS-1-2-2017-01':
                response = client.modify_listener(
                    ListenerArn=listener['ListenerArn'],
                    SslPolicy='ELBSecurityPolicy-TLS-1-2-2017-01'
                )

This code will iterate through all the NLBs in your AWS account, check if they have an HTTPS listener, and if so, check if it has the latest SSL/TLS configuration. If it doesn’t, it will modify the listener to use the latest configuration.Note: You will need to have appropriate permissions to modify the NLBs and listeners in your AWS account.

Additional Reading:

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

NLBs Should Have Latest SSL/TLS Configurations

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: