Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update AWS ALB security policies for 2023.3.22 #198

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update AWS ALB security policies for 2023.3.22 #198

wants to merge 1 commit into from
+4 −4

Conversation

kepstin
Copy link

@kepstin kepstin commented Apr 24, 2023

From this accouncement:
https://aws.amazon.com/about-aws/whats-new/2023/03/application-load-balancer-tls-1-3/ TLSv1.3 support is now generally available in AWS ALB. They have added a new set of security policies that enable TLSv1.3. I have selected the following policies which are the closest fit to the Mozilla server side TLS recommendations:

Old:
Remains TLS-1-0-2015-04. This policy doesn't support TLSv1.3, but it is the only policy available which supports DES-CBC3-SHA.

Intermediate:
Switched from FS-1-2-Res-2019-08 to TLS13-1-2-2021-06. These two policies support the same set of TLSv1.2 ciphers, but the newer one also adds TLSv1.3 support.

Modern:
Can be supported now, using TLS13-1-3-2021-06.

@kepstin
Update AWS ALB security policies for 2023.3.22
5e5c276 
From this accouncement:
https://aws.amazon.com/about-aws/whats-new/2023/03/application-load-balancer-tls-1-3/
TLSv1.3 support is now generally available in AWS ALB. They have added a
new set of security policies that enable TLSv1.3. I have selected the
following policies which are the closest fit to the Mozilla server side
TLS recommendations:

Old:
  Remains TLS-1-0-2015-04. This policy doesn't support TLSv1.3, but it
  is the only policy available which supports DES-CBC3-SHA.

Intermediate:
  Switched from FS-1-2-Res-2019-08 to TLS13-1-2-2021-06. These two
  policies support the same set of TLSv1.2 ciphers, but the newer one
  also adds TLSv1.3 support.

Modern:
  Can be supported now, using TLS13-1-3-2021-06.
@chalbersma
Copy link

I'd like to +1 these recommendations it looks like it matches AWS's updated docs on the subject too.

@janbrasna janbrasna mentioned this pull request Dec 22, 2023
Open
janbrasna
janbrasna suggested changes Feb 2, 2024
View reviewed changes
Copy link
Contributor

@janbrasna janbrasna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kepstin The intermediate policy chosen includes weak ciphers from old, there might be better match:

src/templates/partials/awsalb.hbs
@@ -40,7 +40,7 @@ Resources:
LoadBalancerArn: !Ref ExampleALB
Port: 443
Protocol: HTTPS
SslPolicy: {{#if (includes "TLSv1" output.protocols)}}ELBSecurityPolicy-TLS-1-0-2015-04{{else}}ELBSecurityPolicy-FS-1-2-Res-2019-08{{/if}}
SslPolicy: {{#if (includes "TLSv1" output.protocols)}}ELBSecurityPolicy-TLS-1-0-2015-04{{else}}{{#if (includes "TLSv1.2" output.protocols)}}ELBSecurityPolicy-TLS13-1-2-2021-06{{else}}ELBSecurityPolicy-TLS13-1-3-2021-06{{/if}}{{/if}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've compared the policies in #211 and the ELBSecurityPolicy-TLS13-1-2-2021-06 seems to include weak CBC suites not present in the current recommendations.

Wouldn't the restricted ELBSecurityPolicy-TLS13-1-2-Res-2021-06 be a better match @kepstin?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
SslPolicy: {{#if (includes "TLSv1" output.protocols)}}ELBSecurityPolicy-TLS-1-0-2015-04{{else}}{{#if (includes "TLSv1.2" output.protocols)}}ELBSecurityPolicy-TLS13-1-2-2021-06{{else}}ELBSecurityPolicy-TLS13-1-3-2021-06{{/if}}{{/if}}
SslPolicy: {{#if (includes "TLSv1" output.protocols)}}ELBSecurityPolicy-TLS-1-0-2015-04{{else}}{{#if (includes "TLSv1.2" output.protocols)}}ELBSecurityPolicy-TLS13-1-2-Res-2021-06{{else}}ELBSecurityPolicy-TLS13-1-3-2021-06{{/if}}{{/if}}

src/js/configs.js
@@ -14,11 +14,11 @@ module.exports = {
awsalb: {
hasVersions: false,
highlighter: 'yaml',
latestVersion: '2019.8.1',
latestVersion: '2023.3.22',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's actually a good version number — originally it used to be based on the date of the policy (i. e. 2021.6.1 in this case), however this aligns better with the announcement of tls13 availability for ALB (so the 2023.3.22 can be used as tls13 value without any ambiguity) so I'd say that's ok @gene1wood?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@janbrasna janbrasna janbrasna requested changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kepstin @chalbersma @janbrasna