Ensure that your Amazon Application Load Balancers (ALBs) are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.
The latest ELB security policies are:
- ELBSecurityPolicy-TLS13-1-2-2021-06
- ELBSecurityPolicy-TLS13-1-3-2021-06
- ELBSecurityPolicy-TLS13-1-2-Res-2021-06
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using insecure and deprecated security policies for the SSL negotiation configuration set for your Application Load Balancer (ALB) will expose the connection between the client and the load balancer to various SSL/TLS vulnerabilities. To maintain your load balancer SSL configuration secure, Trend Cloud One™ – Conformity recommends using one of the latest predefined security policies released by Amazon Web Services (AWS).
Audit
To determine if your Application Load Balancers (ALBs) are using deprecated security policies, perform the following actions:
Remediation / Resolution
To update the listener configuration of your Amazon Application Load Balancers (ALBs) in order to use the latest predefined security policy, perform the following actions:
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Application Load Balancers
- Create an HTTPS listener for your Application Load Balancer
- CloudFormation Documentation
- Elastic Load Balancing V2 resource type reference
- Terraform Documentation
- AWS Provider