Ensure ELB enforces recommended SSL/TLS protocol version
Using insecure ciphers for your ELB Predefined or Custom Security Policy, could make the SSL connection between the client and the load balancer vulnerable to exploits. TLS 1.0 was recommended to be disabled by PCI Council after June 30, 2016
Risk Level: High
Cloud Entity: Elastic Load Balancing (ELB)
CloudGuard Rule ID: D9.CFT.CRY.03
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
AWS_ElasticLoadBalancingV2_Listener should have SslPolicy!='Protocol-TLSv1'
REMEDIATION
From CFT
Set AWS::ElasticLoadBalancingV2::Listener SslPolicy
property to be other than Protocol-TLSv1
References
- http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html
Elastic Load Balancing (ELB)
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago