AWS_ELB_65

Ensure ELB does not contain any weak ciphers

Description

Using insecure and deprecated ciphers for your ELB Predefined Security Policy or Custom Security Policy could make the SSL connection between the client and the load balancer vulnerable to exploits. If your ELB SSL negotiation configuration use outdated cipher suites, remove outdated ciphers for your ELB Predefined or Custom Security Policy, to reduce the risk of the SSL connection being exploited

Remediation

Perform the following to remove weak ciphers from ELB

  1. Login to the AWS Management Console.
  2. Navigate to EC2 dashboard
  3. In the navigation panel, under Load balancing, click Load Balancers.
  4. Select your Elastic Load Balancer.
  5. Select the Listeners tab from the bottom panel.
  6. In the Cipher column of the HTTPS listener click Change.
  7. In the Select a Cipher dialog box, select one of the following options configurations:
    1. Predefined Security Policy:

      Select the latest predefined security policy from the list named “ELBSecurityPolicy-2016-08”

    2. Custom Security Policy:

      Uncheck any insecure / deprecated ciphers from the SSL Ciphers section: click Save.

  8. Then click on Save button.

Referrences:

Service

ELB

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!