Ensure that your Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using insecure and deprecated security policies for SSL negotiation configuration within your Application Load Balancers will expose the connection between the client and the load balancer to various SSL/TLS vulnerabilities. To maintain your ALBs SSL configuration secure, Cloud Conformity recommends using one of the latest predefined security policies released by Amazon Web Services.
It is recommended to use one of the following predefined configurations:
Predefined configurations that support TLS versions earlier than TLS 1.2 are no longer recommended. TLS 1.0 and 1.1 have been deprecated by major internet companies. Cipher Suites should also support Perfect Forward Secrecy.
Note: Custom security policies are not allowed.
To determine if your load balancers are using deprecated security policies, perform the following:
Remediation / Resolution
To update your Application Load Balancers (ALBs) listeners configuration to use the latest predefined security policies, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
ELBv2 ALB Security Policy
Risk level: Medium