Ensure recommended SSL/TLS protocol version is used for AWS Elastic Load Balancers (ELB)

HIGH

Description

Using the latest version of TLS can help keep data in-transit protected from man-in-the-middle and similar attacks.

Remediation

In AWS Console -

Sign in to the AWS Console and open the Load Balancer Console.
Choose the load balancer to edit and in the Actions drop down select Edit Listener.
Under Secure listener settings, set the Security policy to ELBSecurityPolicy-TLS-1-2-Ext-2018-06 or newer.
Select Save changes.

In Terraform -

In the aws_load_balancer_policy resource, create a policy_attribute block.
Set the policy_attribute name to Protocol-TLSv1.2 and the value to true.

References:
https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy

Policy Details

Rule Reference ID: AC_AWS_0172

CSP: AWS

Remediation Available: Yes

Domain: Infrastructure Security

Resource: aws_load_balancer_policy

Resource Category: Virtual Network

Resource Type: Load Balancer

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CCM
SOC2
WELL-ARCH