For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-elb-using-insecure-protocols.md.
A documentation index is available at /llms.txt.
Load balancer listeners must use secure TLS policies to prevent protocol downgrade and known cryptographic vulnerabilities that could allow interception or decryption of client traffic.
For Ansible ELB modules (community.aws.elb_network_lb, elb_network_lb, amazon.aws.elb_application_lb, elb_application_lb), the listeners property must be defined and each listener must include SslPolicy set to a modern, secure policy (not legacy SSL/TLS protocol policies).
This rule flags resources missing listeners, listeners missing SslPolicy, or any SslPolicy set to Protocol-SSLv2, Protocol-SSLv3, Protocol-TLSv1, or Protocol-TLSv1.1.
#this code is a correct code for which the query should not find any result- name:elb1amazon.aws.elb_application_lb:name:myelb1security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).Port:80# Required. The port on which the load balancer is listening.# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.SslPolicy:ELBSecurityPolicy-2015-05Certificates:# The ARN of the certificate (only one certficate ARN should be provided)- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forward # Required.TargetGroupName:# Required. The name of the target groupstate:present- name:elb2community.aws.elb_network_lb:name:myelb2security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).Port:80# Required. The port on which the load balancer is listening.# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.SslPolicy:ELBSecurityPolicy-2015-05Certificates:# The ARN of the certificate (only one certficate ARN should be provided)- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forward # Required.TargetGroupName:# Required. The name of the target groupstate:present
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)- name:elb1amazon.aws.elb_application_lb:name:myelb1security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000state:present- name:elb2amazon.aws.elb_application_lb:name:myelb2security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTP# Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).Port:80# Required. The port on which the load balancer is listening.# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.Certificates:# The ARN of the certificate (only one certficate ARN should be provided)- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forward# Required.TargetGroupName:# Required. The name of the target groupstate:present- name:elb3amazon.aws.elb_application_lb:name:myelb3security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTP# Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).Port:80# Required. The port on which the load balancer is listening.# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.SslPolicy:Protocol-SSLv2Certificates:# The ARN of the certificate (only one certficate ARN should be provided)- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forward# Required.TargetGroupName:# Required. The name of the target groupstate:present- name:elb4community.aws.elb_network_lb:name:myelb4security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000state:present- name:elb5community.aws.elb_network_lb:name:myelb5security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTP# Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).Port:80# Required. The port on which the load balancer is listening.# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.Certificates:# The ARN of the certificate (only one certficate ARN should be provided)- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forward# Required.TargetGroupName:# Required. The name of the target groupstate:present- name:elb6community.aws.elb_network_lb:name:myelb6security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTP# Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).Port:80# Required. The port on which the load balancer is listening.# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.SslPolicy:Protocol-TLSv1.1Certificates:# The ARN of the certificate (only one certficate ARN should be provided)- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forward# Required.TargetGroupName:# Required. The name of the target groupstate:present
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
