lacework-global-184
Elastic Load Balancer (ELB) should not use insecure Ciphers
Description
Best practices recommend not using vulnerable SSL ciphers for communicating with an Elastic Load Balancer. A violation exists when using any of the following insecure ciphers for an HTTPS listener of an ELB:
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-KRB5-DES-CBC-MD5
EXP-KRB5-DES-CBC-SHA
EXP-KRB5-RC2-CBC-MD5
EXP-KRB5-RC2-CBC-SHA
EXP-KRB5-RC4-MD5
EXP-KRB5-RC4-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
KRB5-DES-CBC3-MD5
KRB5-DES-CBC3-SHA
KRB5-DES-CBC-MD5
KRB5-DES-CBC-SHA
KRB5-RC4-MD5
KRB5-RC4-SHA
PSK-3DES-EDE-CBC-SHA
PSK-AES128-CBC-SHA
PSK-AES256-CBC-SHA
PSK-RC4-SHA
RC2-CBC-MD5
Remediation
- Log in to the AWS Management Console.
- Click Services.
- Select Compute > EC2.
- In the left frame of the EC2 Dashboard, select Load Balancing > Load Balancers.
- Select the Load Balancer that has the violation reported by Lacework.
- At the bottom of the page, select the Listeners tab.
- For the HTTPS listener that triggered the violation, under Cipher, click Change.
- Select a Predefined Security Policy or a Custom Security Policy with no insecure SSL Ciphers.
- Click Save.