Ensure that your Elastic Load Balancers are using the latest AWS predefined security policies, ELBSecurityPolicy-2016-08 or ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01, for their SSL negotiation configuration.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using insecure and deprecated security policies for your ELBs SSL negotiation configuration will expose the connection between the client and the load balancer to SSL/TLS vulnerabilities such as Logjam Attack, which is a weaknesses in how the Diffie-Hellman key exchange (DHE) has been deployed and FREAK Attack, which allows an attacker to intercept HTTPS connections between vulnerable clients and servers / load balancers in order to break in and steal or manipulate sensitive data. To maintain your ELBs SSL configuration secure, Cloud Conformity recommends using the latest Predefined Security Policies released by AWS: ELBSecurityPolicy-2016-08 or ELBSecurityPolicy-TLS-1-2-2017-01 or ELBSecurityPolicy-TLS-1-1-2017-01 .
To determine if your load balancers are using deprecated security policies, perform the following:
To update your Elastic Load Balancer SSL negotiation configuration to use the latest AWS Predefined Security Policies, perform the following: