Ensure weak ciphers are removed for AWS Elastic Load Balancers (ELB)

HIGH

Description

Remove insecure ciphers for your AWS ELB Predefined or Custom Security Policy, to reduce the risk of the SSL connection between the client and the load balancer being exploited.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the EC2 dashboard.
  2. In the navigation panel, select Load Balancers under Load balancing.
  3. Select the Elastic Load Balancer.
  4. Select the Listeners tab. In the Cipher column of the HTTPS listener, select Change.
  5. Find and remove all the insecure cipher definitions.

In Terraform -

  1. In the aws_load_balancer_policy resource, create a policy_attribute block with the name field set to the secure cipher.
  2. Set the policy_attribute.value field to true.

References:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy#policy_attribute

Policy Details

Rule Reference ID: AC_AWS_0171
CSP: AWS
Remediation Available: Yes
Resource Category: Virtual Network
Resource Type: Load Balancer

Frameworks