AWS Elastic Load Balancing (ELB)
  1. CNS Policies
  2. AWS Knowledge Base
  3. AWS Elastic Load Balancing (ELB)

ELB Without Security Policy

Risk Level: Medium

Description: 

This plugin ensures that Elastic Load Balancer security policies are up to date.

SentinelOne CNS strongly recommends updating your ELBs to use the secure cypher suites.

About the Service :

The Amazon ECS service may be configured to employ Elastic Load Balancing to uniformly distribute traffic among your service's jobs. The transport layer (TCP/SSL) or the application layer (HTTP/HTTPS) are where a Classic Load Balancer makes routing choices. A fixed relationship between the load balancer port and the container instance port is presently required by traditional load balancers.

Impact : 

Using insecure and deprecated security policies for your ELB's SSL negotiation configuration will expose the connection between the client and the load balancer to SSL/TLS vulnerabilities like Logjam Attack, which is a flaw in how the Diffie-Hellman key exchange (DHE) has been implemented, and FREAK Attack, which allows an attacker to intercept HTTPS connections between vulnerable clients and servers/load balancers in order to break in and steal or manipulate sensitive information.

Steps to reproduce :

  1. Login to your AWS Management Console.
  2. Navigate to the EC2 console.
    https://ap-south-1.console.aws.amazon.com/ec2/ 
  3. Click on Load Balancers under Load Balancing.
  4. Select the load balancer that you want to examine.
  5. In the Listeners tab, check if a Security Policy is available or not. 
  6. Since it is not present, the ELB is without a security policy.
  7. Repeat steps for other EC2 load balancers as well. 

Steps for remediation :

  1. Login to your AWS Management Console.
  2. Navigate to the EC2 console.
    https://ap-south-1.console.aws.amazon.com/ec2/ 
  3. Click on Load Balancers under Load Balancing.
  4. Select the load balancer that you want to examine.
  5. In the Listeners tab, check if a Security Policy is available or not. 
  6. Since it is not present, the ELB is without a security policy.
  7. We will create a new listener by clicking on the Add Listener button.
  8. We will then fill in the necessary information of the listener with the Security Policy and click Add.
  9. Repeat steps for other EC2 load balancers as well. 

References: