Details

Elastic Load Balancing uses an Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL/TLS connections between a client and the load balancer. A security policy is a combination of SSL/TLS protocols, ciphers, and the Server Order Preference option.

Elastic Load Balancing supports configuring your load balancer to use either predefined or custom security policies.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that are used to encrypt confidential data over insecure networks such as the Internet. The TLS protocol is a newer version of the SSL protocol. In the Elastic Load Balancing documentation, we refer to both SSL and TLS protocols as the SSL protocol.

* Note: an SSL certificate configured on the ELB and an SSL Security Policy is not mandatory if you are terminating SSL connections directly on the App Tier EC2 instances, and using a TCP listener on the ELB (TCP pass-through)

Making sure the latest ELB SSL Security Policy is used will ensure the SSL/TLS connection will be negotiated using only the appropriate cryptographic protocols deemed safe with no proven vulnerabilities.

Solution

Using the Amazon unified command line interface:

(Note that you should replace with your App-tier ELB name, and __ with the proper policy name)

aws elb set-load-balancer-policies-of-listener –load-balancer-name –load-balancer-port 443 –policy-names __

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/260

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system amazon_aws.

References

• 800-53|SC-17

Source

• Tenable.com/audits