ELB security policy does not contain any insecure ciphers

Classification:

compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Update your Elastic Load Balancer’s (ELB’s) SSL with a secure cipher.

Rationale

SSL connections that use insecure or outdated ciphers are vulnerable to exploits.

Remediation

Console

Follow the SSL negotiation configurations Classic Load Balancers docs to learn how to configure a secure SSL cipher.

CLI

Run describe-load-balancer-policies to list all predefined security policies.
describe-load-balancer-policy.sh
```
    aws elb describe-load-balancer-policies
    --output table
    
```

Run create-load-balancer-policy to create a security policy with a secure cipher using one of the SSL configurations listed in the previous step.

create-load-balancer-policy.sh

    aws elb create-load-balancer-policy
        --load-balancer-name YourLoadBalancerName
        --policy-name YourCustomSecurityPolicy
        --policy-type-name YourPolicyTypeName
        --policy-attributes AttributeName=Protocol-TLSv1.2,AttributeValue=true AttributeName=Protocol-TLSv1.1,AttributeValue=true AttributeName=ECDHE-RSA-AES128-SHA,AttributeValue=true AttributeName=Server-Defined-Cipher-Order,AttributeValue=true
    