Ensure that your Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using insecure and deprecated security policies for SSL negotiation configuration within your Application Load Balancers will expose the connection between the client and the load balancer to various SSL/TLS vulnerabilities. To maintain your ALBs SSL configuration secure, Cloud Conformity recommends using one of the latest predefined security policies released by Amazon Web Services: "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-2016-08" or "ELBSecurityPolicy-TLS-1-1-2017-01".
Note: Custom security policies are not allowed.
To determine if your load balancers are using deprecated security policies, perform the following:
To update your Application Load Balancers (ALBs) listeners configuration to use the latest predefined security policies, perform the following actions: