1.10 Ensure Web Tier ELB have the latest SSL Security Policies configured

Information

Elastic Load Balancing uses an Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL/TLS connections between a client and the load balancer. A security policy is a combination of SSL/TLS protocols, ciphers, and the Server Order Preference option.

Elastic Load Balancing supports configuring your load balancer to use either predefined or custom security policies.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that are used to encrypt confidential data over insecure networks such as the Internet. The TLS protocol is a newer version of the SSL protocol. In the Elastic Load Balancing documentation, we refer to both SSL and TLS protocols as the SSL protocol.

* Note: an SSL certificate configured on the ELB and an SSL Security Policy is not mandatory if you are terminating SSL connections directly on the Web Tier EC2 instances, and using a TCP listener on the ELB (TCP pass-through)
Making sure the latest ELB SSL Security Policy is used will ensure the SSL/TLS connection will be negotiated using only the appropriate cryptographic protocols deemed safe with no proven vulnerabilities.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Using the Amazon unified command line interface:

(Note that you should replace <web_tier_elb> with your Web-tier ELB name, and _<latest_ssl_policy>_ with the proper policy name)

aws elb set-load-balancer-policies-of-listener --load-balancer-name <web_tier_elb> --load-balancer-port 443 --policy-names _<latest_ssl_policy>_

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-17

Plugin: amazon_aws

Control ID: a726ad6e275891c9388a8711ad3fd6ecf71d0a6aaba7e21cb43d1e92b4abfd32