ELB using insecure protocols
This product is not supported for your selected
Datadog site. (
).
Id: 126c1788-23c2-4a10-906c-ef179f4f96ec
Cloud Provider: aws
Framework: Terraform
Severity: Medium
Category: Encryption
Learn More
Description
Elastic Load Balancer (ELB) security policies should not enable insecure protocols such as SSLv3, TLSv1, or TLSv1.1, as these older protocols are vulnerable to well-known exploits that can compromise the confidentiality and integrity of data transmitted between clients and the load balancer. In Terraform, this means avoiding policy attributes such as name = "Protocol-SSLv3" or name = "Protocol-TLSv1" with a value of "true". A secure configuration should explicitly allow only newer protocols such as TLSv1.2. For example:
policy_attribute {
name = "Protocol-TLSv1.2"
value = "true"
}
Leaving insecure protocols enabled increases the risk of man-in-the-middle (MITM) attacks and data breaches for all applications using the ELB.
Compliant Code Examples
#this code is a correct code for which the query should not find any result
resource "aws_elb" "negative1" {
name = "wu-tang"
availability_zones = ["us-east-1a"]
listener {
instance_port = 443
instance_protocol = "http"
lb_port = 443
lb_protocol = "https"
ssl_certificate_id = "arn:aws:iam::000000000000:server-certificate/wu-tang.net"
}
tags = {
Name = "wu-tang"
}
}
resource "aws_load_balancer_policy" "negative2" {
load_balancer_name = aws_elb.wu-tang.name
policy_name = "wu-tang-ca-pubkey-policy"
policy_type_name = "PublicKeyPolicyType"
policy_attribute {
name = "PublicKey"
value = file("wu-tang-pubkey")
}
}
resource "aws_load_balancer_policy" "negative3" {
load_balancer_name = aws_elb.wu-tang.name
policy_name = "wu-tang-root-ca-backend-auth-policy"
policy_type_name = "BackendServerAuthenticationPolicyType"
policy_attribute {
name = "PublicKeyPolicyName"
value = aws_load_balancer_policy.wu-tang-root-ca-pubkey-policy.policy_name
}
}
resource "aws_load_balancer_policy" "negative4" {
load_balancer_name = aws_elb.wu-tang.name
policy_name = "wu-tang-ssl"
policy_type_name = "SSLNegotiationPolicyType"
policy_attribute {
name = "ECDHE-ECDSA-AES128-GCM-SHA256"
value = "true"
}
policy_attribute {
name = "Protocol-TLSv1.2"
value = "true"
}
}
resource "aws_load_balancer_policy" "negative5" {
load_balancer_name = aws_elb.wu-tang.name
policy_name = "wu-tang-ssl"
policy_type_name = "SSLNegotiationPolicyType"
policy_attribute {
name = "Reference-Security-Policy"
value = "ELBSecurityPolicy-TLS-1-1-2017-01"
}
}
resource "aws_load_balancer_backend_server_policy" "negative6" {
load_balancer_name = aws_elb.wu-tang.name
instance_port = 443
policy_names = [
aws_load_balancer_policy.wu-tang-root-ca-backend-auth-policy.policy_name,
]
}
resource "aws_load_balancer_listener_policy" "negative7" {
load_balancer_name = aws_elb.wu-tang.name
load_balancer_port = 443
policy_names = [
aws_load_balancer_policy.wu-tang-ssl.policy_name,
]
}
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)
resource "aws_elb" "positive1" {
name = "wu-tang"
availability_zones = ["us-east-1a"]
listener {
instance_port = 443
instance_protocol = "http"
lb_port = 443
lb_protocol = "https"
ssl_certificate_id = "arn:aws:iam::000000000000:server-certificate/wu-tang.net"
}
tags = {
Name = "wu-tang"
}
}
resource "aws_load_balancer_policy" "positive4" {
load_balancer_name = aws_elb.wu-tang.name
policy_name = "wu-tang-ssl"
policy_type_name = "SSLNegotiationPolicyType"
policy_attribute {
name = "Protocol-TLSv1.2"
value = "true"
}
policy_attribute {
name = "Protocol-TLSv1"
value = "true"
}
}
resource "aws_load_balancer_policy" "positive5" {
load_balancer_name = aws_elb.wu-tang.name
policy_name = "wu-tang-ssl"
policy_type_name = "SSLNegotiationPolicyType"
policy_attribute {
name = "Protocol-SSLv3"
value = "true"
}
}
