ELB Security Features

toddm92 edited this page Oct 16, 2014 · 34 revisions

Purpose

Capture the latest Elastic Load Balancing security standards and document new features.

Security Enhancements

Perfect Forward Secrecy

This security feature uses a derived session key to provide additional safeguards against the eavesdropping of encrypted data. This prevents the decoding of captured data, even if the secret long-term key is compromised.

Elliptic Curve Cryptography (ECDHE) cipher suites. Most major browsers now support these newer and more secure cipher suites.


{ "Name" : "ECDHE-ECDSA-AES128-GCM-SHA256", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES128-GCM-SHA256", "Value"   : "true" },
{ "Name" : "ECDHE-ECDSA-AES128-SHA256", "Value"     : "true" },
{ "Name" : "ECDHE-RSA-AES128-SHA256", "Value"       : "true" },
{ "Name" : "ECDHE-ECDSA-AES128-SHA", "Value"        : "true" },
{ "Name" : "ECDHE-RSA-AES128-SHA", "Value"          : "true" },
{ "Name" : "ECDHE-ECDSA-AES256-GCM-SHA384", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES256-GCM-SHA384", "Value"   : "true" },
{ "Name" : "ECDHE-ECDSA-AES256-SHA384", "Value"     : "true" },
{ "Name" : "ECDHE-RSA-AES256-SHA384", "Value"       : "true" },
{ "Name" : "ECDHE-RSA-AES256-SHA", "Value"          : "true" },
{ "Name" : "ECDHE-ECDSA-AES256-SHA", "Value"        : "true" }

Server Order Preference

When establishing a secure connection, the server and client must agree on a common cipher suite from a prioritized list of ciphers that they both support. The load balancer will select a cipher suite based on the server’s prioritization of cipher suites rather than the client’s.


{ "Name" : "Server-Defined-Cipher-Order", "Value"   : "true" }

Deprecated SSL Ciphers


{ "Name" : "RC2-CBC-MD5", "Value"                   : "false" },
{ "Name" : "PSK-AES256-CBC-SHA", "Value"            : "false" },
{ "Name" : "PSK-3DES-EDE-CBC-SHA", "Value"          : "false" },
{ "Name" : "KRB5-DES-CBC3-SHA", "Value"             : "false" },
{ "Name" : "KRB5-DES-CBC3-MD5", "Value"             : "false" },
{ "Name" : "PSK-AES128-CBC-SHA", "Value"            : "false" },
{ "Name" : "PSK-RC4-SHA", "Value"                   : "false" },
{ "Name" : "KRB5-RC4-SHA", "Value"                  : "false" },
{ "Name" : "KRB5-RC4-MD5", "Value"                  : "false" },
{ "Name" : "KRB5-DES-CBC-SHA", "Value"              : "false" },
{ "Name" : "KRB5-DES-CBC-MD5", "Value"              : "false" },
{ "Name" : "EXP-EDH-RSA-DES-CBC-SHA", "Value"       : "false" },
{ "Name" : "EXP-EDH-DSS-DES-CBC-SHA", "Value"       : "false" },
{ "Name" : "EXP-ADH-DES-CBC-SHA", "Value"           : "false" },
{ "Name" : "EXP-DES-CBC-SHA", "Value"               : "false" },
{ "Name" : "EXP-RC2-CBC-MD5", "Value"               : "false" },
{ "Name" : "EXP-KRB5-RC2-CBC-SHA", "Value"          : "false" },
{ "Name" : "EXP-KRB5-DES-CBC-SHA", "Value"          : "false" },
{ "Name" : "EXP-KRB5-RC2-CBC-MD5", "Value"          : "false" },
{ "Name" : "EXP-KRB5-DES-CBC-MD5", "Value"          : "false" },
{ "Name" : "EXP-ADH-RC4-MD5", "Value"               : "false" },
{ "Name" : "EXP-RC4-MD5", "Value"                   : "false" },
{ "Name" : "EXP-KRB5-RC4-SHA", "Value"              : "false" },
{ "Name" : "EXP-KRB5-RC4-MD5", "Value"              : "false" }

POODLE (disabling SSLv3)

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect the newer encryption mechansim known as Transport Layer Security (TLS).


{ "Name" : "Protocol-SSLv3", "Value"                : "false" `}

Checking for the vulnerability.


#!/bin/bash
#
echo blah | openssl s_client -connect ${1}:443 -ssl3 2> /dev/null | grep 'Protocol.*SSLv3' -A1

New Features

Enabling Cross Zone Load Balancing

The load balancer routes traffic to the back-end instances across all Availability Zones.


"CrossZone"                 : "true"

Configuring a Connection Draining Policy

Connection draining ensures that the load balancer completes serving all in-flight requests made to a registered instance when the instance is deregistered or becomes unhealthy.


"ConnectionDrainingPolicy": {
  "Enabled"                 : "true",
  "Timeout"                 : "60"
}

Setting up Access Logging

Creating the S3 bucket and policy to store the load balancer access logs. CloudFormation generates a unique physicalID and uses that ID for the bucket name. The bucket name produced will look similar to this: template-name-s3loggingbucket-12345678.


"S3LoggingBucket": {
  "Type" : "AWS::S3::Bucket"
},
 
"S3LoggingBucketPolicy": {
  "Type" : "AWS::S3::BucketPolicy",
  "Properties" : {
    "Bucket"                : { "Ref" : "S3LoggingBucket" },
    "PolicyDocument" : {
      "Version"             : "2008-10-17",
      "Statement"           : [ {
        "Effect"            : "Allow",
        "Resource" : {
          "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref": "S3LoggingBucket" }, "/AWSLogs/", { "Ref": "AWS::AccountId" }, "/*" ] ]
        },
        "Principal"         : { "AWS": "*" },
        "Action"            : [ "s3:PutObject" ]
      } ]
    }
  }
}

Enabling the access logging policy.


"AccessLoggingPolicy" : { 
  "S3BucketName"            : { "Ref" : "S3LoggingBucket" }, 
  "Enabled"                 : "true", 
  "EmitInterval"            : "60" 
},

The entire ELB template.