Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Latest AWS Security Policy for SSL Negotiations Should Be Used For Web-Tier ELBs” for AWS using the AWS console, follow the below steps:
- Log in to your AWS console and navigate to the EC2 dashboard.
- Click on the “Load Balancers” option from the left-hand menu.
- Select the web-tier ELB that you want to remediate and click on it.
- Click on the “Listeners” tab and select the listener that is using SSL.
- In the “SSL Certificate” section, select “Change” and choose the “AWS Managed Certificate” option.
- Choose the latest AWS security policy for SSL negotiations from the dropdown menu and click on “Save”.
Using CLI
Using CLI
To remediate this issue for AWS using AWS CLI, follow these steps:Replace Replace Replace
- Open the AWS CLI on your local machine.
- Run the following command to get the load balancer security policy names:
<ELB_NAME> with the name of your load balancer.-
Identify the security policy that is currently in use for the load balancer. The security policy should be named
ELBSecurityPolicy-2016-08or later. - If the load balancer is using an older security policy, run the following command to update it:
<ELB_NAME> with the name of your load balancer and <NEW_POLICY_NAME> with the name of the latest AWS security policy. The latest security policy name can be found in the AWS documentation.- Verify that the new security policy is in use by running the following command:
<ELB_NAME> with the name of your load balancer. The command should return a JSON object that includes the new security policy name.- Once you have verified that the new security policy is in use, you have successfully remediated the misconfiguration.
Using Python
Using Python
To remediate the misconfiguration “Latest AWS Security Policy for SSL Negotiations Should Be Used For Web-Tier ELBs” in AWS using Python, you can follow the below steps:
- Import the required libraries:
- Create a boto3 client for Elastic Load Balancing:
- Get a list of all the load balancers:
- Loop through each load balancer and check if it is a web-tier ELB:
- If the load balancer is a web-tier ELB, update its SSL policy:
-
The SSL policy
ELBSecurityPolicy-TLS-1-2-Ext-2018-06is the latest AWS security policy for SSL negotiations. You can modify the code to use a different SSL policy if required. - Finally, you can add this code to a script and run it periodically to ensure that all web-tier ELBs are using the latest AWS security policy for SSL negotiations.