Ensure that your Amazon Network Load Balancers (NLBs) are using the latest recommended predefined security policy for TLS negotiation configuration in order to protect their front-end connections against TLS vulnerabilities and meet security requirements.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using a deprecated security policy for TLS negotiation configuration within your Network Load Balancers will expose the connection between the client and the load balancer to various vulnerabilities. To maintain your Amazon NLBs TLS configuration secure, Cloud Conformity recommends using one of the latest predefined security policies released by Amazon Web Services: ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-1-2017-01, ELBSecurityPolicy-FS-2018-06, or ELBSecurityPolicy-TLS-1-2-Ext-2018-06
Note: AWS Network Load Balancers do not support custom security policies.
To determine if your Amazon NLBs are using security policies with deprecated ciphers, perform the following:
To update your Amazon Network Load Balancers (NLBs) listeners configuration in order to use the latest predefined and recommended security policy, perform the following actions: