Ensure that your Amazon Network Load Balancers (NLBs) are using the latest recommended predefined security policy for TLS negotiation configuration in order to protect their front-end connections against TLS vulnerabilities and meet security requirements.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using a deprecated security policy for TLS negotiation configuration within your Network Load Balancers will expose the connection between the client and the load balancer to various vulnerabilities. To maintain your Amazon NLBs TLS configuration secure, Cloud Conformity recommends using one of the latest predefined security policies released by Amazon Web Services.
It is recommended to use one of the following predefined configurations:
Predefined configurations that support TLS versions earlier than TLS 1.2 are no longer recommended. TLS 1.0 and 1.1 have been deprecated by major internet companies. Cipher Suites should also support Perfect Forward Secrecy.
Note: AWS Network Load Balancers do not support custom security policies.
To determine if your Amazon NLBs are using security policies with deprecated ciphers, perform the following:
Remediation / Resolution
To update your Amazon Network Load Balancers (NLBs) listeners configuration in order to use the latest predefined and recommended security policy, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
AWS Network Load Balancer (ELBv2) Security Policy
Risk level: Medium