lacework-global-184
Elastic Load Balancer (ELB) should not use insecure Ciphers
Description
Best practices recommend not using vulnerable SSL ciphers for communicating with an Elastic Load Balancer. A violation exists when using any of the following insecure ciphers for an HTTPS listener of an ELB:
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-KRB5-DES-CBC-MD5
EXP-KRB5-DES-CBC-SHA
EXP-KRB5-RC2-CBC-MD5
EXP-KRB5-RC2-CBC-SHA
EXP-KRB5-RC4-MD5
EXP-KRB5-RC4-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
KRB5-DES-CBC3-MD5
KRB5-DES-CBC3-SHA
KRB5-DES-CBC-MD5
KRB5-DES-CBC-SHA
KRB5-RC4-MD5
KRB5-RC4-SHA
PSK-3DES-EDE-CBC-SHA
PSK-AES128-CBC-SHA
PSK-AES256-CBC-SHA
PSK-RC4-SHA
RC2-CBC-MD5
Remediation
Log in to the AWS Management Console.
Click Services.
Select Compute > EC2.
In the left frame of the EC2 Dashboard, select Load Balancing > Load Balancers.
Select the Load Balancer that has the violation reported by Lacework.
At the bottom of the page, select the Listeners tab.
For the HTTPS listener that triggered the violation, under Cipher, click Change.
Select a Predefined Security Policy or a Custom Security Policy with no insecure SSL Ciphers.
Click Save.