ELB use weak ciphers

ID

aws_elb_weak_ciphers

Severity

high

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

ELB use weak ciphers. Remove insecure ciphers for your ELB Predefined or Custom Security Policy, to reduce the risk of the SSL connection between the client and the load balancer being exploited.

To fix it you must configure listeners.SslPolicy with a not weak cipher.

Learn more about this topic at AWS ELB SSL Policy.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - amazon.aws.elb_application_lb:
        access_logs_enabled: true
        access_logs_s3_bucket: mybucket
        access_logs_s3_prefix: "logs"
        name: myalb
        security_groups:
          - sg-12345678
          - my-sec-group
        subnets:
          - subnet-012345678
          - subnet-abcdef000
        listeners:
          - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).
            Port: 80 # Required. The port on which the load balancer is listening.
            # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.
            SslPolicy: ELBSecurityPolicy-DHE-DSS-AES128-SHA
            Certificates: # The ARN of the certificate (only one certficate ARN should be provided)
              - CertificateArn: arn:aws:iam::123456789012:server-certificate/test.domain.com
            DefaultActions:
              - Type: forward # Required.
                TargetGroupName: # Required. The name of the target group
        state: present

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - amazon.aws.elb_application_lb:
        access_logs_enabled: true
        access_logs_s3_bucket: mybucket
        access_logs_s3_prefix: "logs"
        name: myalb
        security_groups:
          - sg-12345678
          - my-sec-group
        subnets:
          - subnet-012345678
          - subnet-abcdef000
        listeners:
          - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).
            Port: 80 # Required. The port on which the load balancer is listening.
            # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.
            SslPolicy: ELBSecurityPolicy-2015-05
            Certificates: # The ARN of the certificate (only one certficate ARN should be provided)
              - CertificateArn: arn:aws:iam::123456789012:server-certificate/test.domain.com
            DefaultActions:
              - Type: forward # Required.
                TargetGroupName: # Required. The name of the target group
        state: present