Skip to main content

More Info:

Your Amazon Network Load Balancers (NLBs) should be using the latest recommended predefined security policy for TLS negotiation configuration in order to protect their front-end connections against TLS vulnerabilities and meet security requirements

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, AWSWAF, HIPAA, GDPR, NIST

Triage and Remediation

Remediation

Using Console

Sure, I can help you with that. Here are the step-by-step instructions to remediate the NLB SSL/TLS configuration issue in AWS:
  1. Log in to your AWS Management Console.
  2. Navigate to the EC2 dashboard.
  3. Click on the “Load Balancers” option from the left-hand side menu.
  4. Select the NLB that needs to be remediated.
  5. Click on the “Listeners” tab.
  6. Click on the “Edit” button next to the listener that uses SSL/TLS.
  7. Select the appropriate SSL/TLS policy from the “Security policy” drop-down menu.
  8. Click on the “Save” button to apply the changes.
By following these steps, you will update the SSL/TLS configuration for the NLB and ensure that it is using the latest and most secure policy.

To remediate NLBs having the latest SSL/TLS configurations in AWS using AWS CLI, follow these steps:
  1. Check the current SSL/TLS configuration of the NLB by running the following command:
aws elbv2 describe-load-balancers --load-balancer-arns <NLB-ARN> --query 'LoadBalancers[].{Name: LoadBalancerName, Scheme: Scheme, Type: Type, Protocol: Scheme, SecurityPolicy: SecurityPolicies}'
Replace <NLB-ARN> with the ARN of the NLB that you want to check.
  1. Identify the latest SSL/TLS version that is supported by AWS by running the following command:
aws elbv2 describe-load-balancer-policies --query 'SslPolicies[].Name'
This command will return a list of SSL/TLS policies that are supported by AWS. Identify the latest policy that is suitable for your NLB.
  1. Update the NLB with the latest SSL/TLS policy by running the following command:
aws elbv2 set-security-policies --load-balancer-arn <NLB-ARN> --security-policy-ids <Security-Policy-ID>
Replace <NLB-ARN> with the ARN of the NLB that you want to update, and <Security-Policy-ID> with the ID of the latest SSL/TLS policy that you identified in step 2.
  1. Verify that the NLB now has the latest SSL/TLS policy by running the command in step 1 again.
  2. Repeat the above steps for all NLBs in your AWS environment that need to be updated with the latest SSL/TLS configurations.
To remediate the misconfiguration “NLBs Should Have Latest SSL/TLS Configurations” for AWS using Python, you can follow these steps:
  1. Install the AWS SDK for Python (Boto3) using pip:
pip install boto3
  1. Create a Boto3 client for the AWS Network Load Balancer (NLB) service:
import boto3

client = boto3.client('elbv2')
  1. Get a list of all the NLBs in your AWS account:
response = client.describe_load_balancers()
nlbs = response['LoadBalancers']
  1. For each NLB, check if it has the latest SSL/TLS configuration:
for nlb in nlbs:
    response = client.describe_listeners(
        LoadBalancerArn=nlb['LoadBalancerArn']
    )
    listeners = response['Listeners']
    for listener in listeners:
        if listener['Protocol'] == 'HTTPS':
            if listener['SslPolicy'] != 'ELBSecurityPolicy-TLS-1-2-2017-01':
                response = client.modify_listener(
                    ListenerArn=listener['ListenerArn'],
                    SslPolicy='ELBSecurityPolicy-TLS-1-2-2017-01'
                )
This code will iterate through all the NLBs in your AWS account, check if they have an HTTPS listener, and if so, check if it has the latest SSL/TLS configuration. If it doesn’t, it will modify the listener to use the latest configuration.Note: You will need to have appropriate permissions to modify the NLBs and listeners in your AWS account.

Additional Reading: