Skip to content

Instantly share code, notes, and snippets.

@apolloclark

apolloclark/Example SOC Alert Ticket.md

Created April 18, 2019 17:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save apolloclark/7cc6288bf445eefda008bea00720c6f4 to your computer and use it in GitHub Desktop.
Save apolloclark/7cc6288bf445eefda008bea00720c6f4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Example SOC Alert Ticket.md

Example SOC Alert Ticket

Summary

Load Balancers without TLS/SSL enabled.

Timeline of Response

  • alert detected on 2019-03-27
  • ticket opened on 2019-03-27
  • must be closed by 2019-04-03, per Company SLA

Response Playbook

Scope / Involved Customers

This affects:

  • Fleet OR
  • Environments:
    • Account1 (aws account #)
    • Account2 (aws account #) OR
  • Customers:
    • Company1 (customer id #)
    • Company2 (customer id #)

Alert

"AWS Config has detected an insecure configuration in an Application Load Balancer. It does not have TLS 1.2 encryption enabled. This is required for reliable transport security."

http://aws.amazon.com/config/finding/abcdef123466

External Resources

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html

https://docs.aws.amazon.com/config/latest/developerguide/elb-predefined-security-policy-ssl-check.html

https://aws.amazon.com/about-aws/whats-new/2018/06/application-load-balancer-adds-new-security-policies-including-policy-for-forward-secrecy/

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

https://docs.aws.amazon.com/config/latest/developerguide/elb-predefined-security-policy-ssl-check.htm

Technical Notes

...

Proposed Fixes

  1. Enabled SSL encryption on the specific customer Load Balancers.
  • use with AWS Web Console, or aws-cli
  • command:
aws elb set-load-balancer-listener-ssl-certificate \
  --load-balancer-name <value> \
  --load-balancer-port <value>
  • test:
nmap -sV --script ssl-enum-ciphers -p 443 <host> \
  | grep -F 'least strength'
  • verify:
|_  least strength: A

OR

  1. Require all ALBs in the Fleet have TLS 1.2 enabled.
  • prevent the deployment of any ALB without TLS 1.2
    • updated provisioning engine to block deployment
  • detect any ALBs without ALB
    • enabled AWS Config in all AWS accounts
  • automatically enabled TLS 1.2 on all Load Balancers
  • weekly report on Load Balancer encryption

Stakeholders

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment