Control: 17 Application and Network Load Balancers with listeners should use recommended security policies
Description
Parameters: sslPolicies: ELBSecurityPolicy-TLS13-1-2-2021-06, ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04, ELBSecurityPolicy-TLS13-1-3-2021-06, ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04, ELBSecurityPolicy-TLS13-1-2-Res-2021-06, ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 (not customizable)
This control checks whether the HTTPS listener for an Application Load Balancer or the TLS listener for a Network Load Balancer is configured to encrypt data in transit by using a recommended security policy. The control fails if the HTTPS or TLS listener for a load balancer isn't configured to use a recommended security policy.
Elastic Load Balancing uses an SSL negotiation configuration, known as a security policy, to negotiate connections between a client and a load balancer. The security policy specifies a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server. A cipher is an encryption algorithm that uses encryption keys to create a coded message. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. Using a recommended security policy for a load balancer can help you meet compliance and security standards.
Remediation
For information about recommended security policies and how to update listeners, see the following sections of the Elastic Load Balancing User Guides: Security policies for Application Load Balancers, Security policies for Network Load Balancers, Update an HTTPS listener for your Application Load Balancer, and Update a listener for your Network Load Balancer.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_elb_17
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_elb_17 --share
SQL
This control uses a named query:
with lbs as ( select arn, title, region, account_id, tags, _ctx, 'application'::text as lb_type from aws_ec2_application_load_balancer union all select arn, title, region, account_id, tags, _ctx, 'network'::text as lb_type from aws_ec2_network_load_balancer ), listeners as ( select l.arn as listener_arn, l.load_balancer_arn as lb_arn, l.protocol, l.port, l.ssl_policy, lb.title, lb.region, lb.account_id, lb.tags, lb._ctx, lb.lb_type from aws_ec2_load_balancer_listener l join lbs lb on lb.arn = l.load_balancer_arn )select l.listener_arn as resource, case when l.lb_type = 'application' and l.protocol = 'HTTPS' then case when l.ssl_policy is null or not (l.ssl_policy = ANY($1::text[])) then 'alarm' else 'ok' end when l.lb_type = 'network' and l.protocol = 'TLS' then case when l.ssl_policy is null or not (l.ssl_policy = ANY($1::text[])) then 'alarm' else 'ok' end else 'alarm' end as status, case when l.lb_type = 'application' and l.protocol = 'HTTPS' and l.ssl_policy is null then l.title || ' listener ' || l.port || ' uses HTTPS with no SSL policy.' when l.lb_type = 'application' and l.protocol = 'HTTPS' and not (l.ssl_policy = ANY($1::text[])) then l.title || ' listener ' || l.port || ' uses HTTPS with non-recommended policy ' || l.ssl_policy || '.' when l.lb_type = 'application' and l.protocol = 'HTTPS' then l.title || ' listener ' || l.port || ' uses HTTPS with recommended policy ' || l.ssl_policy || '.' when l.lb_type = 'network' and l.protocol = 'TLS' and l.ssl_policy is null then l.title || ' listener ' || l.port || ' uses TLS with no SSL policy.' when l.lb_type = 'network' and l.protocol = 'TLS' and not (l.ssl_policy = ANY($1::text[])) then l.title || ' listener ' || l.port || ' uses TLS with non-recommended policy ' || l.ssl_policy || '.' when l.lb_type = 'network' and l.protocol = 'TLS' then l.title || ' listener ' || l.port || ' uses TLS with recommended policy ' || l.ssl_policy || '.' when l.lb_type = 'application' then l.title || ' listener ' || l.port || ' uses ' || lower(l.protocol) || ' (expected HTTPS).' when l.lb_type = 'network' then l.title || ' listener ' || l.port || ' uses ' || lower(l.protocol) || ' (expected TLS).' end as reason , region, account_idfrom listeners l;
Params
Args | Name | Default | Description | Variable |
---|---|---|---|---|
$1 | elb_application_network_lb_https_tls_listener_recommended_ssl_policy |
| A list of recommended SSL policies for application and network load balancers. |