For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-elb-using-weak-ciphers.md. A documentation index is available at /llms.txt.

ELB using weak ciphers

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-elb-using-weak-ciphers

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Encryption

Learn More

Description

ELB security policies must not include weak TLS cipher suites because weak ciphers can be exploited to downgrade or break the confidentiality and integrity of TLS connections to the load balancer.

Check AWS::ElasticLoadBalancing::LoadBalancer resources and verify the Policies[].Attributes[].Name values (the cipher identifiers or referenced policy names) do not match any known weak ciphers in the IANA, OpenSSL, or GnuTLS lists. Resources with Attributes that match a weak-cipher identifier will be flagged. Instead, use AWS predefined strong ELB security policy names or an SSLNegotiationPolicyType policy that explicitly references modern cipher suites (TLS 1.2+ with ECDHE and AES-GCM).

Secure configuration example using a modern predefined policy:

MyLoadBalancer:
  Type: AWS::ElasticLoadBalancing::LoadBalancer
  Properties:
    Listeners:
      - LoadBalancerPort: 443
        InstancePort: 443
        Protocol: HTTPS
        InstanceProtocol: HTTPS
        SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-cert
    Policies:
      - PolicyName: SecureSSLPolicy
        PolicyType: SSLNegotiationPolicyType
        Attributes:
          - Name: Reference-Security-Policy
            Value: ELBSecurityPolicy-TLS-1-2-2017-01

Compliant Code Examples

#this code is a correct code for which the query should not find any result
Resources:
    MyLoadBalancer:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
          AvailabilityZones:
          - "us-east-2a"
          CrossZone: true
          Listeners:
          - InstancePort: '80'
            InstanceProtocol: HTTP
            LoadBalancerPort: '443'
            Protocol: HTTPS
            PolicyNames:
            - My-SSLNegotiation-Policy
            SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
          HealthCheck:
            Target: HTTP:80/
            HealthyThreshold: '2'
            UnhealthyThreshold: '3'
            Interval: '10'
            Timeout: '5'
          Policies:
          - PolicyName: My-SSLNegotiation-Policy
            PolicyType: SSLNegotiationPolicyType
            Attributes:
            - Name: Reference-Security-Policy
              Value: ELBSecurityPolicy-TLS-1-2-2017-01

{
  "Resources": {
    "MyLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties": {
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true,
        "Listeners": [
          {
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ]
          }
        ],
        "HealthCheck": {
          "HealthyThreshold": "2",
          "UnhealthyThreshold": "3",
          "Interval": "10",
          "Timeout": "5",
          "Target": "HTTP:80/"
        },
        "Policies": [
          {
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "Reference-Security-Policy",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ],
            "PolicyName": "My-SSLNegotiation-Policy"
          }
        ]
      }
    }
  }
}

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
Resources:
    MyLoadBalancer:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
          AvailabilityZones:
          - "us-east-2a"
          CrossZone: true
          Listeners:
          - InstancePort: '80'
            InstanceProtocol: HTTP
            LoadBalancerPort: '443'
            Protocol: HTTPS
            PolicyNames:
            - My-SSLNegotiation-Policy
            SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
          HealthCheck:
            Target: HTTP:80/
            HealthyThreshold: '2'
            UnhealthyThreshold: '3'
            Interval: '10'
            Timeout: '5'
          Policies:
          - PolicyName: My-SSLNegotiation-Policy
            PolicyType: SSLNegotiationPolicyType
            Attributes:
            - Name: TLS_RSA_NULL_SHA1
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
            - Name: DHE-DSS-DES-CBC3-SHA
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
          - PolicyName: My-SSLNegotiation-Policy2
            PolicyType: SSLNegotiationPolicyType
            Attributes:
            - Name: TLS_DHE_PSK_WITH_NULL_SHA256
              Value: ELBSecurityPolicy-TLS-1-2-2017-01

{
  "Resources": {
    "MyLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties": {
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true,
        "Listeners": [
          {
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate"
          }
        ],
        "HealthCheck": {
          "Target": "HTTP:80/",
          "HealthyThreshold": "2",
          "UnhealthyThreshold": "3",
          "Interval": "10",
          "Timeout": "5"
        },
        "Policies": [
          {
            "PolicyName": "My-SSLNegotiation-Policy",
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "TLS_RSA_NULL_SHA1",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              },
              {
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01",
                "Name": "DHE-DSS-DES-CBC3-SHA"
              }
            ]
          },
          {
            "PolicyName": "My-SSLNegotiation-Policy2",
            "PolicyType": "SSLNegotiationPolicyType",
            "Attributes": [
              {
                "Name": "TLS_DHE_PSK_WITH_NULL_SHA256",
                "Value": "ELBSecurityPolicy-TLS-1-2-2017-01"
              }
            ]
          }
        ]
      }
    }
  }
}