Ensure ELBs do not allow insecure SSL protocols or ciphers

Error: ELBs allow insecure SSL protocols or ciphers

Bridgecrew Policy ID: BC_AWS_NETWORKING_34
Severity: MEDIUM

ELBs allow insecure SSL protocols or ciphers

Description

Using older SSL protocols or ciphers that are no longer considered secure could result in the connection between load balancer and server being exploited.

Elastic Load Balancers (ELB).

The following predefined security policies are acceptable for classic load balancers:

  • ELBSecurityPolicy-2016-08
  • ELBSecurityPolicy-TLS-1-2-2017-01
  • ELBSecurityPolicy-TLS-1-1-2017-01

Application load balancers can use the above policies, but have other acceptable policies as follows:

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06
  • ELBSecurityPolicy-FS-2018-06
  • ELBSecurityPolicy-FS-1-1-2019-08
  • ELBSecurityPolicy-FS-1-2-2019-08
  • ELBSecurityPolicy-FS-1-2-Res-2019-08
  • ELBSecurityPolicy-2015-05

For classic ELBs you can review the AWS documentation which highlights the recommended SSL ciphers here.

Fix - Runtime

AWS Console

📘

Note

Ensure you are in the correct region.

Classic Load Balancer Procedure

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EC2 console.
  3. On the left menu, click Load Balancers.
  4. Select the load balancer for review.
  5. Select the Listeners tab.
  6. On the HTTPS listener, select the Cipher column.
  7. Select Change.
  8. Navigate to the Select a Cipher panel and select one of the acceptable predefined security policies (listed above). Alternatively, create a custom security policy based on the recommended ciphers listed in AWS documentation.
  9. Scroll down and click Save.

Application Load Balancer Procedure

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EC2 console.
  3. On the left menu, click Load Balancers.
  4. Select the load balancer for review.
  5. Select the Listeners tab.
  6. Select the HTTPS listener, click Edit.
  7. Navigate to Security Policy and select one of the acceptable predefined security policies (listed above).
  8. Click Update.

Did this page help you?