Ensure that your Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using insecure and deprecated security policies for SSL negotiation configuration within your Application Load Balancers will expose the connection between the client and the load balancer to various SSL/TLS vulnerabilities. To maintain your ALBs SSL configuration secure, Cloud Conformity recommends using one of the latest predefined security policies released by Amazon Web Services: ELBSecurityPolicy-TLS-1-1-2017-01, ELBSecurityPolicy-TLS-1-2-Ext-2018-06, ELBSecurityPolicy-FS-1-2-Res-2019-08, ELBSecurityPolicy-FS-1-1-2019-08 or ELBSecurityPolicy-FS-1-2-2019-08
Note: Custom security policies are not allowed.
Audit
To determine if your load balancers are using deprecated security policies, perform the following:
Remediation / Resolution
To update your Application Load Balancers (ALBs) listeners configuration to use the latest predefined security policies, perform the following actions:
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Application Load Balancers
- HTTPS Listeners for Your Application Load Balancer
- AWS Command Line Interface (CLI) Documentation
- elbv2
- describe-load-balancers
- describe-listeners
- modify-listener
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
ELBv2 ALB Security Policy
Risk level: Medium