Custom security policies for AWS ALB?

0

Are custom security policies available for AWS ALB?

ELBSecurityPolicy-FS-1-2-Res-2019-08 is the most restrictive security policy so far.

However, SSL scanners are complaining about CBC ciphers:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256

feita há 3 anos5993 visualizações
8 Respostas
0

Hi there!

Thank you for posting your question of concern here.

Application Load Balancers do not support custom security policies. Elastic Load Balancing provides the following security policies for Application Load Balancers:
• ELBSecurityPolicy-2016-08 (default)
• ELBSecurityPolicy-TLS-1-0-2015-04
• ELBSecurityPolicy-TLS-1-1-2017-01
• ELBSecurityPolicy-TLS-1-2-2017-01
• ELBSecurityPolicy-TLS-1-2-Ext-2018-06
• ELBSecurityPolicy-FS-2018-06
• ELBSecurityPolicy-FS-1-1-2019-08
• ELBSecurityPolicy-FS-1-2-2019-08
• ELBSecurityPolicy-FS-1-2-Res-2019-08
• ELBSecurityPolicy-2015-05 (identical to ELBSecurityPolicy-2016-08)

Use the following link to the AWS Documentation for reference, and also to configure them
[1]https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

You can alternatively use Classic Load Balancers where you can use either predefined or custom security policies, and for reference you can use this link.
[2]https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html

Hope this will answer you question of concern.

Thank you
TL

respondido há 3 anos
0

hmmm....

None of those predefined security policies block/deny these ciphers:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256

respondido há 3 anos
0

Hi there!

Thank you once again for further engagement, your concerns and questions are very important.

And to your question I can say yes, but in the predefined security policies, If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified here to negotiate connections between the client and load balancer.This ensures that the load balancer determines which cipher is used for SSL connection. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client.

In the Predefined SSL security policies take look at this document for reference and see their enabled SSL protocols and SSL ciphers.
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html

Thanks once again
TL

respondido há 3 anos
0

Are there any plans to add another security policy to AWS ALB that will block the ciphers below?:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256

respondido há 3 anos
0

Hello. We recently released this security policy: ELBSecurityPolicy-FS-1-2-Res-2020-10.

Julie

AWS
respondido há 3 anos
0

Yes, this is what I needed.

Thank you!

respondido há 3 anos
0

Even this has 1 weak cipher (128 bits) enabled..
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

respondido há 3 anos
0

Even this has 1 weak cipher (128 bits) enabled..
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

respondido há 3 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas