Ensure that your app-tier Elastic Load Balancers (ELBs) listeners are using the latest AWS security policy for their SSL negotiation configuration. An SSL security policy is a combination of SSL/TLS protocols and ciphers used by your AWS ELBs to negotiate SSL/TLS connections between application clients and the load balancers. This conformity rule assumes that all AWS resources provisioned within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on the Cloud Conformity account dashboard.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you use the latest SSL security policy for your app-tier ELBs you make sure that the SSL/TLS connection is negotiated using only the necessary cryptographic protocols deemed safe with no proven vulnerabilities. This will secure the connection between the clients and the AWS ELB, and protect against security vulnerabilities such as Logjam and FREAK, that may allow attackers to decrypt secure communications between vulnerable clients and your load balancer.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
Audit
To determine if your app-tier ELBs are using the latest SSL security policy, perform the following actions:
Remediation / Resolution
To enable the latest predefined SSL security policy for your app-tier ELBs, perform the following actions:
References
- AWS Documentation
- What Is Elastic Load Balancing?
- SSL Negotiation Configurations for Classic Load Balancers
- Predefined SSL Security Policies for Classic Load Balancers
- SSL Negotiation Configurations for Classic Load Balancers
- Update the SSL Negotiation Configuration of Your Classic Load Balancer
- AWS Command Line Interface (CLI) Documentation
- elb
- describe-load-balancers
- describe-tags
- describe-load-balancer-policies
- set-load-balancer-policies-of-listener
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
App-Tier ELB Security Policy
Risk level: Medium