Insecure encryption algorithm - SSL/TLS - cloudformation

Insecure encryption algorithm - SSL/TLS - cloudformation

Need

Implementation of secure encryption algorithms and disabling insecure TLS protocol versions.

Context

  • Usage of AWS CloudFormation for Infrastructure as Code (IaC)
  • Usage of AWS::ElasticLoadBalancingV2::Listener for managing load balancer listeners in AWS
  • Usage of AWS::ElasticLoadBalancingV2::TargetGroup for managing target groups in AWS Load Balancer

Description

Non compliant code

        AWSTemplateFormatVersion: '2010-09-09'
Resources:
  ExampleListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref ExampleLoadBalancer
      Port: 443
      Protocol: HTTPS
      SslPolicy: ELBSecurityPolicy-2015-05
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref ExampleTargetGroup

In the above CloudFormation template, we define a load balancer listener for an AWS Application Load Balancer. The listener is configured to listen on port 443 (HTTPS) and uses the ELBSecurityPolicy-2015-05 SSL policy.

The vulnerability lies in the SslPolicy that is being used. The ELBSecurityPolicy-2015-05 policy allows the usage of insecure TLS protocol versions, including TLS 1.0 and 1.1. These versions of the TLS protocol are known to be insecure and susceptible to various attacks, such as BEAST, CRIME, and POODLE.

This means that the data being transmitted between the client and the server could potentially be intercepted and decrypted by an attacker. This could lead to sensitive information being exposed, such as user credentials, credit card numbers, or other personal data.

To fix this vulnerability, the SslPolicy should be updated to use a more secure policy, such as ELBSecurityPolicy-TLS-1-2-2017-01, which only allows the usage of the secure TLS 1.2 protocol version.

Steps

  • Update the SSL/TLS protocol version to TLSv1.2 or TLSv1.3
  • Ensure that the SSL/TLS configuration is using secure encryption algorithms
  • Consider using a more secure SSL/TLS policy

Compliant code

        AWSTemplateFormatVersion: '2010-09-09'
Resources:
  ExampleListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref ExampleLoadBalancer
      Port: 443
      Protocol: HTTPS
      SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref ExampleTargetGroup

The above code is a fixed version of the vulnerable code. The vulnerability was that the server allowed the usage of insecure TLS protocol versions. This is a serious security issue as it can allow attackers to exploit the weak encryption and potentially gain unauthorized access to sensitive data.

The fix involves changing the SslPolicy from ELBSecurityPolicy-2015-05 to ELBSecurityPolicy-TLS-1-2-2017-01. This change ensures that the server is now using a secure version of the TLS protocol, specifically TLSv1.2, which is currently considered secure.

The ELBSecurityPolicy-TLS-1-2-2017-01 policy is a predefined policy by AWS which includes the secure TLSv1.2 protocol along with secure cipher suites. This policy will help protect the server from attacks that target weak protocols and ciphers.

Remember, it's important to regularly review and update your security configurations, as what is considered secure evolves over time.

References