Ensure ELB enforces recommended SSL/TLS protocol version

Using insecure ciphers for your ELB Predefined or Custom Security Policy, could make the SSL connection between the client and the load balancer vulnerable to exploits. TLS 1.0 was recommended to be disabled by PCI Council after June 30, 2016

Risk Level: High
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.CFT.CRY.03
Covered by Spectral: Yes
Category: Networking & Content Delivery


AWS_ElasticLoadBalancingV2_Listener should have SslPolicy!='Protocol-TLSv1'


From CFT
Set AWS::ElasticLoadBalancingV2::Listener SslPolicy property to be other than Protocol-TLSv1


  1. http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html

Elastic Load Balancing (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Compliance Frameworks

  • AWS CloudFormation ruleset