Ensure that your Amazon Network Load Balancers (NLBs) are using the latest recommended predefined security policy for TLS negotiation configuration in order to protect their front-end connections against TLS vulnerabilities and meet security requirements.
Using a deprecated security policy for TLS negotiation configuration within your Network Load Balancers will expose the connection between the client and the load balancer to various vulnerabilities. To maintain your Amazon NLBs TLS configuration secure, Cloud Conformity recommends using one of the latest predefined security policies released by Amazon Web Services: "ELBSecurityPolicy-2016-08" for general use, "ELBSecurityPolicy-FS-2018-06" to support Forward Secrecy (FS) and "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" to use the latest TLS 1.2 protocol with the same set of secure ciphers as the one used by the "ELBSecurityPolicy-2016-08" policy. Note: AWS Network Load Balancers do not support custom security policies.
To determine if your Amazon NLBs are using security policies with deprecated ciphers, perform the following:
To update your Amazon Network Load Balancers (NLBs) listeners configuration in order to use the latest predefined and recommended security policy, perform the following actions: