Terraform Outdated Or Missing Tls Policy
Description
Identifies AWS Load Balancer Listener resources in Terraform configurations that are missing SSL/TLS policies or using insecure SSL settings. This poses a security risk as load balancers without proper SSL/TLS policies may allow weak ciphers or outdated protocols, potentially exposing sensitive data in transit.
Detection Strategy
• Search for Terraform 'aws_lb_listener' resource blocks in infrastructure code
• Check if an SSL policy is specified in the listener configuration
• Verify if the configured SSL policy meets security requirements
• Report a security issue when an AWS Load Balancer listener is found without a secure SSL policy configuration
Vulnerable code example
resource "aws_lb_listener" "vulnerable_example" {
load_balancer_arn = aws_lb.example.arn
port = "443"
protocol = "HTTPS" # Vulnerable: HTTPS listener without ssl_policy specified
certificate_arn = "arn:aws:acm:us-west-2:123456789:certificate/example"
default_action {
type = "forward"...✅ Secure code example
resource "aws_lb_listener" "secure_example" {
load_balancer_arn = aws_lb.example.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-3-2021-06" # Added modern TLS 1.3 policy for strong security
certificate_arn = "arn:aws:acm:us-west-2:123456789:certificate/example"
default_action {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.