Ensure that your Elastic Load Balancers are using the latest AWS predefined security policies, ELBSecurityPolicy-2016-08 or ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01, for their SSL negotiation configuration.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using insecure and deprecated security policies for your ELBs SSL negotiation configuration will expose the connection between the client and the load balancer to SSL/TLS vulnerabilities such as Logjam Attack, which is a weaknesses in how the Diffie-Hellman key exchange (DHE) has been deployed and FREAK Attack, which allows an attacker to intercept HTTPS connections between vulnerable clients and servers / load balancers in order to break in and steal or manipulate sensitive data. To maintain your ELBs SSL configuration secure, Cloud Conformity recommends using the latest Predefined Security Policies released by AWS: ELBSecurityPolicy-2016-08 or ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01 .
To determine if your load balancers are using deprecated security policies, perform the following:
Remediation / Resolution
To update your Elastic Load Balancer SSL negotiation configuration to use the latest AWS Predefined Security Policies, perform the following:
- AWS Documentation:
- Listeners for Your Load Balancer
- SSL Negotiation Configurations for Elastic Load Balancing
- Predefined SSL Security Policies for Elastic Load Balancing
- SSL Security Policies for Elastic Load Balancing
- Update the SSL Negotiation Configuration of Your Load Balancer
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
ELB Security Policy
Risk level: Medium