Ensure that your app-tier Elastic Load Balancers (ELBs) listeners are using the latest AWS security policy for their SSL negotiation configuration. An SSL security policy is a combination of SSL/TLS protocols and ciphers used by your AWS ELBs to negotiate SSL/TLS connections between application clients and the load balancers. This conformity rule assumes that all AWS resources provisioned within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on the Cloud Conformity account dashboard.
When you use the latest SSL security policy for your app-tier ELBs you make sure that the SSL/TLS connection is negotiated using only the necessary cryptographic protocols deemed safe with no proven vulnerabilities. This will secure the connection between the clients and the AWS ELB, and protect against security vulnerabilities such as Logjam and FREAK, that may allow attackers to decrypt secure communications between vulnerable clients and your load balancer. Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
To determine if your app-tier ELBs are using the latest SSL security policy, perform the following actions:
To enable the latest predefined SSL security policy for your app-tier ELBs, perform the following actions: