For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-elb-using-weak-ciphers.md.
A documentation index is available at /llms.txt.
ELB listeners must specify a strong SSL/TLS policy because weak cipher suites can enable protocol downgrade, interception, or decryption of traffic between clients and the load balancer. For Ansible ELB Application and Network load balancer modules (amazon.aws.elb_application_lb, elb_application_lb, community.aws.elb_network_lb, elb_network_lb), the listeners list must be defined and each listener must include the SslPolicy property set to a non-weak policy.
Resources missing listeners or listener entries missing SslPolicy are flagged. Any SslPolicy that matches a known weak policy in your baseline should be replaced with an AWS-managed strong policy (for example, a TLS 1.2+ policy) or a custom policy that excludes weak ciphers.
Secure configuration example:
- name:Create ALB with strong TLS policyamazon.aws.elb_application_lb:name:my-alblisteners:- Protocol:HTTPSPort:443SslPolicy:ELBSecurityPolicy-TLS-1-2-2017-01CertificateArn:arn:aws:acm:us-west-2:123456789012:certificate/abcd-1234
Compliant Code Examples
#this code is a correct code for which the query should not find any result- name:elb1amazon.aws.elb_application_lb:name:myelb1security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).Port:80# Required. The port on which the load balancer is listening.# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.SslPolicy:ELBSecurityPolicy-2015-05Certificates:# The ARN of the certificate (only one certficate ARN should be provided)- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forward # Required.TargetGroupName:# Required. The name of the target groupstate:present- name:elb2community.aws.elb_network_lb:name:myelb2security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).Port:80# Required. The port on which the load balancer is listening.# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.SslPolicy:ELBSecurityPolicy-2015-05Certificates:# The ARN of the certificate (only one certficate ARN should be provided)- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forward # Required.TargetGroupName:# Required. The name of the target groupstate:present
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)- name:elb1amazon.aws.elb_application_lb:name:myelb1security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000state:present- name:elb2amazon.aws.elb_application_lb:name:myelb2security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTP# Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).Port:80# Required. The port on which the load balancer is listening.# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.Certificates:# The ARN of the certificate (only one certficate ARN should be provided)- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forward# Required.TargetGroupName:# Required. The name of the target groupstate:present- name:elb3amazon.aws.elb_application_lb:name:myelb3security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTP# Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).Port:80# Required. The port on which the load balancer is listening.# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.SslPolicy:DHE-DSS-DES-CBC3-SHACertificates:# The ARN of the certificate (only one certficate ARN should be provided)- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forward# Required.TargetGroupName:# Required. The name of the target groupstate:present- name:elb4community.aws.elb_network_lb:name:myelb4security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000state:present- name:elb5community.aws.elb_network_lb:name:myelb5security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTPPort:80# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.Certificates:- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forwardTargetGroupName:targetstate:present- name:elb6community.aws.elb_network_lb:name:myelb6security_groups:- sg-12345678- my-sec-groupsubnets:- subnet-012345678- subnet-abcdef000listeners:- Protocol:HTTPPort:80# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.SslPolicy:TLS_RSA_NULL_MD5Certificates:- CertificateArn:arn:aws:iam::12345678987:server-certificate/test.domain.comDefaultActions:- Type:forwardTargetGroupName:targetstate:present
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
