Skip to main content

lacework-global-184

ELB should not use insecure Cipher(s)

Description

It is recommended not to use vulnerable SSL ciphers for communicating with an Elastic Load Balancer. A violation is triggered when any of the following insecure ciphers are configured for an HTTPS listener of an ELB:

EXP-ADH-DES-CBC-SHA

EXP-ADH-RC4-MD5

EXP-DES-CBC-SHA

EXP-EDH-DSS-DES-CBC-SHA

EXP-EDH-RSA-DES-CBC-SHA

EXP-KRB5-DES-CBC-MD5

EXP-KRB5-DES-CBC-SHA

EXP-KRB5-RC2-CBC-MD5

EXP-KRB5-RC2-CBC-SHA

EXP-KRB5-RC4-MD5

EXP-KRB5-RC4-SHA

EXP-RC2-CBC-MD5

EXP-RC4-MD5

KRB5-DES-CBC3-MD5

KRB5-DES-CBC3-SHA

KRB5-DES-CBC-MD5

KRB5-DES-CBC-SHA

KRB5-RC4-MD5

KRB5-RC4-SHA

PSK-3DES-EDE-CBC-SHA

PSK-AES128-CBC-SHA

PSK-AES256-CBC-SHA

PSK-RC4-SHA

RC2-CBC-MD5

Remediation

  1. Log in to the AWS Management Console.

  2. Click Services.

  3. Select Compute > EC2.

  4. In the left frame of the EC2 Dashboard, select LOAD BALANCING > Load Balancers.

  5. Select the Load Balancer that has the violation reported by Lacework.

  6. At the bottom of the page, select the Listeners tab.

  7. For the HTTPS listener that triggered the violation, under Cipher, click Change.

  8. Select a Predefined Security Policy or a Custom Security Policy with no insecure SSL Ciphers.

  9. Click Save.