Check your Elastic Load Balancers Secure Sockets Layer (SSL) negotiation configuration for SSLv2, SSLv3, and TLSv1 insecure / deprecated SSL protocols
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using insecure and deprecated protocols for your ELB Predefined Security Policy or Custom Security Policy could make the connection between the client and the load balancer vulnerable to exploits such as DROWN (Decrypting RSA using Obsolete and Weakened eNcryption), which targets a specific weakness in the OpenSSL implementation of SSLv2 protocol and POODLE (Padding Oracle On Downgraded Legacy Encryption).
This vulnerability allows an attacker to read information encrypted with SSLv3 protocol in plain text, using a man-in-the-middle attack. If your existent ELB SSL negotiation configuration use Protocol-SSLv2 and/or Protocol-SSLv3 and/or Protocol-TLSv1 (PCI council require TLS1.0 to be turned off soon), we highly recommend updating it using the information provided in this guide (see Remediation/Resolution section).
Note: ELBSecurityPolicy-2016-08 predefined security policy includes Protocol-TLSv1 which is considered insecure.
Audit
To determine if your ELB Predefined Security Policy use insecure protocols, perform the following:
Remediation / Resolution
To remove any insecure protocol definitions from your ELB SSL negotiation settings, you need to perform the following:
References
- AWS Documentation
- What Is Elastic Load Balancing?
- SSL Negotiation Configurations for Elastic Load Balancing
- Predefined SSL Security Policies for Elastic Load Balancing
- SSL Security Policies for Elastic Load Balancing
- Update the SSL Negotiation Configuration of Your Load Balancer
- AWS Command Line Interface (CLI) Documentation
- elb
- describe-load-balancer-policies
- create-load-balancer-policy
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
ELB Insecure SSL Protocols
Risk level: Medium