logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure service configuration - Certificates - Cloudformation

Need

Ensure proper validation and configuration of X.509 certificates in AWS services

Context

  1. Usage of CloudFormation for Infrastructure as Code (IaC)
  2. Configuration of services using TLS/SSL certificates

Description

Insecure Code Example

Resources:
  MyLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: insecure-alb
      Scheme: internet-facing
      Subnets:
        - subnet-12345678
      Type: application

  MyListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref MyLoadBalancer
      Port: 443
      Protocol: HTTPS
      Certificates:
        - CertificateArn: arn:aws:acm:region:account:certificate/invalid-cert-id
      DefaultActions:
        - Type: fixed-response
          FixedResponseConfig:
            StatusCode: 200
            ContentType: text/plain
            MessageBody: "OK"

In this CloudFormation example, an Application Load Balancer (ALB) is configured with an HTTPS listener. However, the certificate configuration does not enforce strict TLS policies, such as using a secure security policy, nor does it validate the certificate chain or hostname. If the load balancer is configured to accept all client certificates without proper validation, it can expose backend services to man-in-the-middle (MitM) attacks, allowing an attacker to present an invalid or self-signed certificate and still have the connection accepted.

Steps

  1. Avoid using expired, self-signed, or untrusted X.509 certificates
  2. Enforce strict TLS policies with strong cipher suites and minimum protocol versions
  3. Use ACM or trusted CAs to manage certificates automatically
  4. If mutual TLS is required, validate client certificates against a trusted CA
  5. Monitor and rotate certificates before expiration

Secure Code Example

Resources:
  MyLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: secure-alb
      Scheme: internet-facing
      Subnets:
        - subnet-12345678
      Type: application

  MyListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref MyLoadBalancer
      Port: 443
      Protocol: HTTPS
      Certificates:
        - CertificateArn: arn:aws:acm:region:account:certificate/valid-cert-id
      SslPolicy: ELBSecurityPolicy-TLS-1-2-2021-06
      DefaultActions:
        - Type: fixed-response
          FixedResponseConfig:
            StatusCode: 200
            ContentType: text/plain
            MessageBody: "OK"

In this improved CloudFormation template, the HTTPS listener uses a valid ACM certificate and enforces a secure TLS policy (`ELBSecurityPolicy-TLS-1-2-2021-06`). This policy ensures that only strong ciphers and valid certificate chains are accepted. Additionally, by not allowing arbitrary client certificates and depending on the ACM certificate validation process, the risk of MitM attacks is reduced. If mutual TLS is needed, validation via trust store should also be configured accordingly.

References

  • 313 - Insecure service configuration - Certificates

    • Last updated

    2025/04/04