Allow using TLS 1.3 policies with NLBs (#2934)

ankon · web-flow · commit acad64bce02b · 2022-05-07T22:46:16.000+02:00
Fixes: #2928 Signed-off-by: Andreas Kohn (Framer) <andreas.kohn@framer.com>
diff --git a/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py b/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py
@@ -3,31 +3,38 @@
 from checkov.common.util.type_forcers import force_list
 from checkov.cloudformation.parser.cfn_keywords import ConditionFunctions, IntrinsicFunctions
 
+supported_policy_prefixes = {
+    # ALBs support TLS v1.2
+    'HTTPS': ("ELBSecurityPolicy-FS-1-2", "ELBSecurityPolicy-TLS-1-2"),
+    # NLBs support TLS v1.2 and 1.3
+    'TLS': ("ELBSecurityPolicy-TLS13-1-3-2021-06", "ELBSecurityPolicy-TLS13-1-2", "ELBSecurityPolicy-FS-1-2", "ELBSecurityPolicy-TLS-1-2")
+}
 
 class ALBListenerTLS12(BaseResourceCheck):
 
     def __init__(self):
-        name = "Ensure that Application Load Balancer Listener is using TLS v1.2"
+        name = "Ensure that Load Balancer Listener is using at least TLS v1.2"
         id = "CKV_AWS_103"
         supported_resources = ['AWS::ElasticLoadBalancingV2::Listener']
         categories = [CheckCategories.GENERAL_SECURITY]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
     def scan_resource_conf(self, conf):
         """
-            validates that ALB Listener is using TLS v1.2
+            validates that ElasticLoadBalancing V2 Listener is using at least TLS v1.2
             https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html
         :param conf: aws_alb_listener configuration
         :return: <CheckResult>
         """
 
         if 'Properties' in conf.keys():
             if 'Protocol' in conf['Properties'].keys():
-                # Check SslPolicy only if protocol is HTTPS or TLS.
-                # Other protocols are not intresting within the context of this check.
-                if conf['Properties']['Protocol'] in ('HTTPS', 'TLS'):
+                # Check SslPolicy only if protocol is HTTPS (ALB) or TLS (NLB).
+                # Other protocols are not interesting within the context of this check.
+                protocol = conf['Properties']['Protocol']
+                if protocol in ('HTTPS', 'TLS'):
                     if 'SslPolicy' in conf['Properties'].keys():
-                        if conf['Properties']['SslPolicy'].startswith(("ELBSecurityPolicy-FS-1-2", "ELBSecurityPolicy-TLS-1-2")):
+                        if conf['Properties']['SslPolicy'].startswith(supported_policy_prefixes[protocol]):
                             return CheckResult.PASSED
                     return CheckResult.FAILED
                 elif conf['Properties']['Protocol'] in ('TCP', 'UDP', 'TCP_UDP'):
diff --git a/tests/cloudformation/checks/resource/aws/example_ALBListenerTLS12/ALBListenerTLS1.2-FAILED.yaml b/tests/cloudformation/checks/resource/aws/example_ALBListenerTLS12/ALBListenerTLS1.2-FAILED.yaml
@@ -7,21 +7,22 @@ Parameters:
     Type: List<AWS::EC2::Subnet::Id>
 
 Resources:
-  LoadBalancer:
+  ApplicationLoadBalancer:
     Type: AWS::ElasticLoadBalancingV2::LoadBalancer
     Properties:
       Name: CheckovTest
+      Type: application
       Subnets: !Ref Subnets
       SecurityGroups:
         - sg-1234567
 
   ListenerHTTPSFAILED1:
     Type: AWS::ElasticLoadBalancingV2::Listener
     Properties:
-      LoadBalancerArn: !Ref LoadBalancer
+      LoadBalancerArn: !Ref ApplicationLoadBalancer
       Port: 443
       Protocol: HTTPS
-      Certificates: 
+      Certificates:
         - CertificateArn: test-cert
       SslPolicy: ELBSecurityPolicy-2016-08
       DefaultActions:
@@ -31,11 +32,56 @@ Resources:
   ListenerHTTPSFAILED2:
     Type: AWS::ElasticLoadBalancingV2::Listener
     Properties:
-      LoadBalancerArn: !Ref LoadBalancer
+      LoadBalancerArn: !Ref ApplicationLoadBalancer
       Port: 443
       Protocol: HTTPS
-      Certificates: 
+      Certificates:
         - CertificateArn: test-cert
       DefaultActions:
         - Type: forward
-          TargetGroupArn: default-target-group
+          TargetGroupArn: default-target-group
+
+  NetworkLoadBalancer:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Name: CheckovTest
+      Type: network
+      Subnets: !Ref Subnets
+
+  ListenerTLSFAILED1:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      LoadBalancerArn: !Ref NetworkLoadBalancer
+      Port: 443
+      Protocol: TLS
+      Certificates:
+        - CertificateArn: test-cert
+      SslPolicy: ELBSecurityPolicy-2016-08
+      DefaultActions:
+        - Type: forward
+          TargetGroupArn: default-target-group
+
+  ListenerTLSFAILED2:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      LoadBalancerArn: !Ref NetworkLoadBalancer
+      Port: 443
+      Protocol: TLS
+      SslPolicy: ELBSecurityPolicy-TLS13-1-1-2021-06
+      Certificates:
+        - CertificateArn: test-cert
+      DefaultActions:
+        - Type: forward
+          TargetGroupArn: default-target-group
+
+  ListenerTLSFAILED3:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      LoadBalancerArn: !Ref NetworkLoadBalancer
+      Port: 443
+      Protocol: TLS
+      Certificates:
+        - CertificateArn: test-cert
+      DefaultActions:
+        - Type: forward
+          TargetGroupArn: default-target-group
diff --git a/tests/cloudformation/checks/resource/aws/example_ALBListenerTLS12/ALBListenerTLS1.2-PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_ALBListenerTLS12/ALBListenerTLS1.2-PASSED.yaml
@@ -15,18 +15,19 @@ Conditions:
       - !Ref UseHttps
       - 'true'
 Resources:
-  LoadBalancer:
+  ApplicationLoadBalancer:
     Type: AWS::ElasticLoadBalancingV2::LoadBalancer
     Properties:
       Name: CheckovTest
+      Type: application
       Subnets: !Ref Subnets
       SecurityGroups:
         - sg-1234567
 
   ListenerHTTPSPASSED1:
     Type: AWS::ElasticLoadBalancingV2::Listener
     Properties:
-      LoadBalancerArn: !Ref LoadBalancer
+      LoadBalancerArn: !Ref ApplicationLoadBalancer
       Port: 443
       Protocol: HTTPS
       Certificates:
@@ -36,23 +37,10 @@ Resources:
         - Type: forward
           TargetGroupArn: default-target-group
 
-  ListenerHTTPSPASSED2:
+  ListenerHTTPPASSED2:
     Type: AWS::ElasticLoadBalancingV2::Listener
     Properties:
-      LoadBalancerArn: !Ref LoadBalancer
-      Port: 443
-      Protocol: TLS
-      Certificates:
-        - CertificateArn: test-cert
-      SslPolicy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
-      DefaultActions:
-        - Type: forward
-          TargetGroupArn: default-target-group
-
-  ListenerHTTPPASSED3:
-    Type: AWS::ElasticLoadBalancingV2::Listener
-    Properties:
-      LoadBalancerArn: !Ref LoadBalancer
+      LoadBalancerArn: !Ref ApplicationLoadBalancer
       Port: 80
       Protocol: HTTP
       DefaultActions:
@@ -68,6 +56,9 @@ Resources:
   ListenerHTTPUnknown:
      Type: AWS::ElasticLoadBalancingV2::Listener
      Properties:
+       LoadBalancerArn: !Ref ApplicationLoadBalancer
+       Port: 80
+       Protocol: HTTP
        DefaultActions: !If
         - IsHttps
         -
@@ -80,6 +71,59 @@ Resources:
         -
           - TargetGroupArn: default-target-group
             Type: forward
-       LoadBalancerArn: !Ref LoadBalancer
-       Port: 80
-       Protocol: HTTP
+
+  NetworkLoadBalancer:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Name: CheckovTest
+      Type: network
+      Subnets: !Ref Subnets
+
+  ListenerTLSPASSED1:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      LoadBalancerArn: !Ref NetworkLoadBalancer
+      Port: 443
+      Protocol: TLS
+      Certificates:
+        - CertificateArn: test-cert
+      SslPolicy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
+      DefaultActions:
+        - Type: forward
+          TargetGroupArn: default-target-group
+
+  ListenerTLSPASSED2:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      LoadBalancerArn: !Ref NetworkLoadBalancer
+      Port: 443
+      Protocol: TLS
+      Certificates:
+        - CertificateArn: test-cert
+      SslPolicy: ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06
+      DefaultActions:
+        - Type: forward
+          TargetGroupArn: default-target-group
+
+  ListenerTLSPASSED3:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      LoadBalancerArn: !Ref NetworkLoadBalancer
+      Port: 443
+      Protocol: TLS
+      Certificates:
+        - CertificateArn: test-cert
+      SslPolicy: ELBSecurityPolicy-TLS13-1-3-2021-06
+      DefaultActions:
+        - Type: forward
+          TargetGroupArn: default-target-group
+
+  ListenerTCPPASSED4:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      LoadBalancerArn: !Ref NetworkLoadBalancer
+      Port: 443
+      Protocol: TCP
+      DefaultActions:
+        - Type: forward
+          TargetGroupArn: default-target-group
diff --git a/tests/cloudformation/checks/resource/aws/test_ALBListenerTLS12.py b/tests/cloudformation/checks/resource/aws/test_ALBListenerTLS12.py
@@ -18,21 +18,27 @@ def test_summary(self):
 
         passing_resources = {
             'AWS::ElasticLoadBalancingV2::Listener.ListenerHTTPSPASSED1',
-            'AWS::ElasticLoadBalancingV2::Listener.ListenerHTTPSPASSED2',
-            'AWS::ElasticLoadBalancingV2::Listener.ListenerHTTPPASSED3'
+            'AWS::ElasticLoadBalancingV2::Listener.ListenerHTTPPASSED2',
+            'AWS::ElasticLoadBalancingV2::Listener.ListenerTLSPASSED1',
+            'AWS::ElasticLoadBalancingV2::Listener.ListenerTLSPASSED2',
+            'AWS::ElasticLoadBalancingV2::Listener.ListenerTLSPASSED3',
+            'AWS::ElasticLoadBalancingV2::Listener.ListenerTCPPASSED4'
         }
 
         failing_resources = {
             'AWS::ElasticLoadBalancingV2::Listener.ListenerHTTPSFAILED1',
-            'AWS::ElasticLoadBalancingV2::Listener.ListenerHTTPSFAILED2'
+            'AWS::ElasticLoadBalancingV2::Listener.ListenerHTTPSFAILED2',
+            'AWS::ElasticLoadBalancingV2::Listener.ListenerTLSFAILED1',
+            'AWS::ElasticLoadBalancingV2::Listener.ListenerTLSFAILED2',
+            'AWS::ElasticLoadBalancingV2::Listener.ListenerTLSFAILED3'
         }
 
         unknown_resource = 'AWS::ElasticLoadBalancingV2::Listener.ListenerHTTPUnknown'
         passed_check_resources = set([c.resource for c in report.passed_checks])
         failed_check_resources = set([c.resource for c in report.failed_checks])
 
-        self.assertEqual(summary['passed'], 3)
-        self.assertEqual(summary['failed'], 2)
+        self.assertEqual(summary['passed'], passing_resources.__len__())
+        self.assertEqual(summary['failed'], failing_resources.__len__())
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
         self.assertNotIn(unknown_resource, passed_check_resources)
