lacework-global-184
ELB should not use insecure Cipher(s)
Description
It is recommended not to use vulnerable SSL ciphers for communicating with an Elastic Load Balancer. A violation is triggered when any of the following insecure ciphers are configured for an HTTPS listener of an ELB:
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-KRB5-DES-CBC-MD5
EXP-KRB5-DES-CBC-SHA
EXP-KRB5-RC2-CBC-MD5
EXP-KRB5-RC2-CBC-SHA
EXP-KRB5-RC4-MD5
EXP-KRB5-RC4-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
KRB5-DES-CBC3-MD5
KRB5-DES-CBC3-SHA
KRB5-DES-CBC-MD5
KRB5-DES-CBC-SHA
KRB5-RC4-MD5
KRB5-RC4-SHA
PSK-3DES-EDE-CBC-SHA
PSK-AES128-CBC-SHA
PSK-AES256-CBC-SHA
PSK-RC4-SHA
RC2-CBC-MD5
Remediation
Log in to the AWS Management Console.
Click Services.
Select Compute > EC2.
In the left frame of the EC2 Dashboard, select LOAD BALANCING > Load Balancers.
Select the Load Balancer that has the violation reported by Lacework.
At the bottom of the page, select the Listeners tab.
For the HTTPS listener that triggered the violation, under Cipher, click Change.
Select a Predefined Security Policy or a Custom Security Policy with no insecure SSL Ciphers.
Click Save.