Json Yaml Outdated Or Missing Tls
Description
Detects AWS Elastic Load Balancers (ELBv2) listeners that are configured without proper SSL/TLS security policies in CloudFormation templates. Missing or outdated SSL policies on load balancer listeners can expose the application to known SSL/TLS vulnerabilities and attacks.
Detection Strategy
• Scans CloudFormation template files for ELBv2 Listener resource definitions (AWS::ElasticLoadBalancingV2::Listener)
• Checks if the Listener resource has a properly configured SSL/TLS policy
• Reports a vulnerability when an ELBv2 Listener is found without a secure SSL policy configuration
Vulnerable code example
Resources:
vulnerableListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: myLoadBalancer
# Vulnerable: Uses outdated TLS 1.1 policy
SslPolicy: ELBSecurityPolicy-TLS-1-1-2017-01
vulnerableListener2:...✅ Secure code example
Resources:
secureListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: myLoadBalancer
# Uses modern TLS 1.2 or higher policy for strong encryption
SslPolicy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.