search

aws / copilot-cli

The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on AWS App Runner or Amazon ECS on AWS Fargate.
https://aws.github.io/copilot-cli/
Apache License 2.0
3.53k stars 417 forks source link

Expose ALB Listener's SSL Policy As A Manifest Parameter #5310

Open adrianosela opened 1 year ago

adrianosela commented 1 year ago

Expose ALB Listener's SSL Policy As A Manifest Parameter

I want to restrict the minimum TLS version that my clients talk to my service with... for compliance-related reasons. The problem is that copilot does not expose the ALB Listeners' Security Policy as manifest parameters I can set. So I am forced to resort to using YAML Patches.

Here's my YAML Patch:

# Enforce a modern TLS policy for the Application Load Balancer
- op: add
  path: /Resources/HTTPSListener/Properties/SslPolicy
  value: ELBSecurityPolicy-TLS13-1-2-2021-06

Copied from @tjhorner's comment in https://github.com/aws/copilot-cli/issues/3280.

huanjani commented 1 year ago

Thanks so much for opening this as a separate issue, @adrianosela!

I've marked it as a customer feature request, but to be transparent, please don't hold your breath for this as a manifest field--we are focused on unblocking users without workarounds like YAML patch/CDK overrides. Thanks for understanding!

tim-xergy commented 6 months ago

@huanjani I'd like to bump this up, having to manually make changes to the load balancer on any new environment is frustrating especially for security concerns like this

Could we at least have the default policy updated to one that disabled 1.0 and 1.1?

proof-nicholas commented 1 month ago

Agreed, I don't see any reason why the default policy should be 1.0. We got dinged in a security scan because I assumed the tool would configure reasonable security defaults.