Upgrade TLS to the latest secure version in Application Load balancers

0

Hello, We have application load balancers that are currently using security policy ELBSecurityPolicy-2016-08 How do I make sure I use the right secure policy for the latest version? I have this table in AWS https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html showing different version but I am not sure what latest secure version to use as it is a bit confusing for me.

Many thanks in advance.

2回答
0

It all depends on what your security posture is with TLS versions and Encryption Ciphers. You can test your ALB using this website which will give you a score based on your current configuration https://www.ssllabs.com/ssltest/

NOTE: Tick Do not show on public boards

The Higher the TLS the more secure. 1.2 and 1.3 are the main standards today. A lot of those Ciphers are now weak and are seen as bad.

Personally I would be looking at ELBSecurityPolicy-FS-1-2-Res-2020-10 or ELBSecurityPolicy-TLS-1-2-2017-01 if you don’t need forward secrecy.

When you force a higher TLS and remove supported Ciphers, watch out for OLD Browsers/Operating systems and Applications that have not been upgraded to support the newer ciphers etc. Its unlikely today but they would experience TLS Issues when connecting and will fail if they do not support the increased TLS Settings.

Use that SSL Labs to check the results after changing but I personally would go for ELBSecurityPolicy-FS-1-2-Res-2020-10 if you NEED FS or the TLS-1-2-2017-01 if not. You can also check here for details on ciphers.. https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384/

Hope this helps

profile picture
エキスパート
回答済み 1年前
  • Hi Gary, thank you very much for the detailed information. This looks really good to me.

  • Any other questions, fire away... Be sure to accept the answer if satisfactory to help others and me.. Thanks

0

I have upgraded TLS to the latest version ELBSecurityPolicy-FS-1-2-Res-2020-10 on AWS ALBs but not sure how to test the new version to ensure it has no impact from the clients?

Abdel
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ