Load Balancers without TLS/SSL enabled.
- alert detected on 2019-03-27
- ticket opened on 2019-03-27
- must be closed by 2019-04-03, per Company SLA
This affects:
- Fleet OR
- Environments:
- Account1 (aws account #)
- Account2 (aws account #) OR
- Customers:
- Company1 (customer id #)
- Company2 (customer id #)
"AWS Config has detected an insecure configuration in an Application Load Balancer. It does not have TLS 1.2 encryption enabled. This is required for reliable transport security."
http://aws.amazon.com/config/finding/abcdef123466
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
...
- Enabled SSL encryption on the specific customer Load Balancers.
- use with AWS Web Console, or aws-cli
- command:
aws elb set-load-balancer-listener-ssl-certificate \
--load-balancer-name <value> \
--load-balancer-port <value>
- test:
nmap -sV --script ssl-enum-ciphers -p 443 <host> \
| grep -F 'least strength'
- verify:
|_ least strength: A
OR
- Require all ALBs in the Fleet have TLS 1.2 enabled.
- prevent the deployment of any ALB without TLS 1.2
- updated provisioning engine to block deployment
- detect any ALBs without ALB
- enabled AWS Config in all AWS accounts
- automatically enabled TLS 1.2 on all Load Balancers
- weekly report on Load Balancer encryption