amazon-web-servicesamazon-elbaws-security-hub

How to automatically enable the ELB Cipher policy specified in the Cloudformation


Policies that I specified under Cloudformation ELB Policies attribute is not enabled after deployment. I had to enable it manually util then the old default Policy was in effect. How to automatically enable the ELB Cipher policy specified in the Cloudformation ?

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-policy.html

Policies:
    - PolicyName: My-SSLNegotiation-Policy
      PolicyType: SSLNegotiationPolicyType
      Attributes:
      - Name: Reference-Security-Policy
        Value: ELBSecurityPolicy-TLS-1-2-2017-01

On the AWS Console it was still showing the predefined policy as ELBSecurityPolicy-2016-08 which is the default policy

Then I had to manually enable it using the cli below then it showed predefined policy as ELBSecurityPolicy-TLS-1-2-2017-01

aws elb set-load-balancer-policies-of-listener --load-balancer-name auhuman-ELB-qwertyuiop --load-balancer-port 443 --policy-names Auhuman-ELBSecurityPolicy-TLS-1-2-2017-01 --region us-east-1

Solution

  • This style of policy definition is associated with the classic EC2 load balancer. If at all possible, you should use a V2 application load balancer instead. Really the only use case for a classic ELB is if you have classic EC2 instances not in a VPC...and you should be thinking about migration strategy for those.

    Assuming you can use a V2 ALB, you can use the SslPolicy property on the listener to declare your policy, for example:

    LoadBalancerSecureListener:
      Type: AWS::ElasticLoadBalancingV2::Listener
      Properties:
        LoadBalancerArn: !Ref LoadBalancer
        Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: !Ref ACSCertificate
        SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
        DefaultActions:
          - Type: forward
            TargetGroupArn: !Ref DefaultTargetGroup
    

    Of course you'll need to substitute appropriate references for your situation.

    If you absolutely have to use a classic ELB, then you need to associate the policy name with the listener by adding the PolicyNames property to the listener config, as in:

     Loadbal:
        Type: 'AWS::ElasticLoadBalancing::LoadBalancer'
        Properties:
          Subnets:
            - !Ref subnet1
            - !Ref subnet2
          Listeners:
            - InstancePort: 80
              LoadBalancerPort: 443
              Protocol: HTTPS
              SSLCertificateId: >-
                !Ref ACSCertificate
              PolicyNames:
                - My-SSLNegotiation-Policy
          Policies:
            - PolicyName: My-SSLNegotiation-Policy
              PolicyType: SSLNegotiationPolicyType
              Attributes:
                - Name: Reference-Security-Policy
                  Value: ELBSecurityPolicy-TLS-1-2-2017-01