Skip to main content

lacework-global-224

Ensure ELBv2 has latest Secure Cipher policies Configured for Session Encryption

Description

It is recommended that your Load Balancers (Application/Network) use one of the following newer SSL ciphers for session encryption:

ELBSecurityPolicy-2016-08

ELBSecurityPolicy-TLS-1-1-2017-01

ELBSecurityPolicy-TLS-1-2-2017-01

ELBSecurityPolicy-TLS-1-2-Ext-2018-06

ELBSecurityPolicy-FS-2018-06

ELBSecurityPolicy-FS-1-1-2019-08

ELBSecurityPolicy-FS-1-2-2019-08

ELBSecurityPolicy-FS-1-2-Res-2019-08

ELBSecurityPolicy-FS-1-2-Res-2020-10

ELBSecurityPolicy-TLS13-1-2-2021-06

A violation is reported when an SSL cipher not listed above is configured for your LBs.

Remediation

  1. Log in to the AWS Management Console.

  2. Click Services.

  3. Select Compute > EC2.

  4. In the left frame of the EC2 Dashboard, select LOAD BALANCING > Load Balancers.

  5. Select the Load Balancer that has the violation reported by Lacework.

  6. At the bottom of the page, select the Listeners tab.

  7. Select the Listener you would like to edit

  8. Click Edit.

  9. Ensure Protocol is set to HTTPS (Application load balancer) or TLS (Network load balancer).

  10. Under Secure listener settings, expand the Security policy dropdown.

  11. Select one of the following newer SSL ciphers for session encryption:

    ELBSecurityPolicy-2016-08

    ELBSecurityPolicy-TLS-1-1-2017-01

    ELBSecurityPolicy-TLS-1-2-2017-01

    ELBSecurityPolicy-TLS-1-2-Ext-2018-06

    ELBSecurityPolicy-FS-2018-06

    ELBSecurityPolicy-FS-1-1-2019-08

    ELBSecurityPolicy-FS-1-2-2019-08

    ELBSecurityPolicy-FS-1-2-Res-2019-08

    ELBSecurityPolicy-FS-1-2-Res-2020-10

    ELBSecurityPolicy-TLS13-1-2-2021-06

  12. Click Save changes