Ensure that your Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.
Using insecure and deprecated security policies for SSL negotiation configuration within your Application Load Balancers will expose the connection between the client and the load balancer to various SSL/TLS vulnerabilities. To maintain your ALBs SSL configuration secure, Cloud Conformity recommends using one of the latest predefined security policies released by Amazon Web Services: "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2016-08" or "ELBSecurityPolicy-TLS-1-1-2017-01". Note: Custom security policies are not allowed.
To determine if your load balancers are using deprecated security policies, perform the following:
To update your Application Load Balancers (ALBs) listeners configuration to use the latest predefined security policies, perform the following actions: