Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 17 Application and Network Load Balancers with listeners should use recommended security policies

Description

Parameters: sslPolicies: ELBSecurityPolicy-TLS13-1-2-2021-06, ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04, ELBSecurityPolicy-TLS13-1-3-2021-06, ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04, ELBSecurityPolicy-TLS13-1-2-Res-2021-06, ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 (not customizable)

This control checks whether the HTTPS listener for an Application Load Balancer or the TLS listener for a Network Load Balancer is configured to encrypt data in transit by using a recommended security policy. The control fails if the HTTPS or TLS listener for a load balancer isn't configured to use a recommended security policy.

Elastic Load Balancing uses an SSL negotiation configuration, known as a security policy, to negotiate connections between a client and a load balancer. The security policy specifies a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server. A cipher is an encryption algorithm that uses encryption keys to create a coded message. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. Using a recommended security policy for a load balancer can help you meet compliance and security standards.

Remediation

For information about recommended security policies and how to update listeners, see the following sections of the Elastic Load Balancing User Guides: Security policies for Application Load Balancers, Security policies for Network Load Balancers, Update an HTTPS listener for your Application Load Balancer, and Update a listener for your Network Load Balancer.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_elb_17

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_elb_17 --share

SQL

This control uses a named query:

  with lbs as (
    select arn, title, region, account_id, tags, _ctx, 'application'::text as lb_type
    from aws_ec2_application_load_balancer
    union all
    select arn, title, region, account_id, tags, _ctx, 'network'::text as lb_type
    from aws_ec2_network_load_balancer
  ),
  listeners as (
    select
      l.arn as listener_arn,
      l.load_balancer_arn as lb_arn,
      l.protocol,
      l.port,
      l.ssl_policy,
      lb.title,
      lb.region,
      lb.account_id,
      lb.tags,
      lb._ctx,
      lb.lb_type
    from aws_ec2_load_balancer_listener l
    join lbs lb on lb.arn = l.load_balancer_arn
  )
select
  l.listener_arn as resource,
  case
    when l.lb_type = 'application' and l.protocol = 'HTTPS'
      then case when l.ssl_policy is null or not (l.ssl_policy = ANY($1::text[])) then 'alarm' else 'ok' end
    when l.lb_type = 'network' and l.protocol = 'TLS'
      then case when l.ssl_policy is null or not (l.ssl_policy = ANY($1::text[])) then 'alarm' else 'ok' end
    else 'alarm'
  end as status,
  case
    when l.lb_type = 'application' and l.protocol = 'HTTPS' and l.ssl_policy is null
      then l.title || ' listener ' || l.port || ' uses HTTPS with no SSL policy.'
    when l.lb_type = 'application' and l.protocol = 'HTTPS' and not (l.ssl_policy = ANY($1::text[]))
      then l.title || ' listener ' || l.port || ' uses HTTPS with non-recommended policy ' || l.ssl_policy || '.'
    when l.lb_type = 'application' and l.protocol = 'HTTPS'
      then l.title || ' listener ' || l.port || ' uses HTTPS with recommended policy ' || l.ssl_policy || '.'
    when l.lb_type = 'network' and l.protocol = 'TLS' and l.ssl_policy is null
      then l.title || ' listener ' || l.port || ' uses TLS with no SSL policy.'
    when l.lb_type = 'network' and l.protocol = 'TLS' and not (l.ssl_policy = ANY($1::text[]))
      then l.title || ' listener ' || l.port || ' uses TLS with non-recommended policy ' || l.ssl_policy || '.'
    when l.lb_type = 'network' and l.protocol = 'TLS'
      then l.title || ' listener ' || l.port || ' uses TLS with recommended policy ' || l.ssl_policy || '.'
    when l.lb_type = 'application'
      then l.title || ' listener ' || l.port || ' uses ' || lower(l.protocol) || ' (expected HTTPS).'
    when l.lb_type = 'network'
      then l.title || ' listener ' || l.port || ' uses ' || lower(l.protocol) || ' (expected TLS).'
  end as reason
  
  , region, account_id
from
  listeners l;

Params

ArgsNameDefaultDescriptionVariable
$1elb_application_network_lb_https_tls_listener_recommended_ssl_policy
["ELBSecurityPolicy-TLS13-1-2-2021-06","ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04","ELBSecurityPolicy-TLS13-1-3-2021-06","ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04","ELBSecurityPolicy-TLS13-1-2-Res-2021-06","ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04"]
A list of recommended SSL policies for application and network load balancers.

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_in_transit
foundational_security_item_id = elb_17
plugin = aws
service = AWS/ELB