lacework-global-224
Ensure Elastic Load Balancer V2 (ELBV2) has latest Secure Cipher policies Configured for Session Encryption
Description
Best practices recommend that your Load Balancers (Application/Network) use one of the following newer SSL ciphers for session encryption:
ELBSecurityPolicy-2016-08
ELBSecurityPolicy-TLS-1-1-2017-01
ELBSecurityPolicy-TLS-1-2-2017-01
ELBSecurityPolicy-TLS-1-2-Ext-2018-06
ELBSecurityPolicy-FS-2018-06
ELBSecurityPolicy-FS-1-1-2019-08
ELBSecurityPolicy-FS-1-2-2019-08
ELBSecurityPolicy-FS-1-2-Res-2019-08
ELBSecurityPolicy-FS-1-2-Res-2020-10
ELBSecurityPolicy-TLS13-1-2-2021-06
ELBSecurityPolicy-TLS13-1-2-Res-2021-06
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06
ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06
A violation exists when using an SSL cipher not listed for your LBs.
Remediation
Log in to the AWS Management Console.
Click Services.
Select Compute > EC2.
In the left frame of the EC2 Dashboard, select Load Balancing > Load Balancers.
Select the Load Balancer that has the violation reported by Lacework.
At the bottom of the page, select the Listeners tab.
Select the Listener you would like to edit.
Click Edit.
Set Protocol to HTTPS for Application load balancer or Transport Layer Security (TLS) for Network load balancer.
Under Secure listener settings, expand the Security policy dropdown.
Select one of the following newer SSL ciphers for session encryption:
ELBSecurityPolicy-2016-08
ELBSecurityPolicy-TLS-1-1-2017-01
ELBSecurityPolicy-TLS-1-2-2017-01
ELBSecurityPolicy-TLS-1-2-Ext-2018-06
ELBSecurityPolicy-FS-2018-06
ELBSecurityPolicy-FS-1-1-2019-08
ELBSecurityPolicy-FS-1-2-2019-08
ELBSecurityPolicy-FS-1-2-Res-2019-08
ELBSecurityPolicy-FS-1-2-Res-2020-10
ELBSecurityPolicy-TLS13-1-2-2021-06
ELBSecurityPolicy-TLS13-1-2-Res-2021-06
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06
ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06
Click Save changes.