Custom security policies for AWS ALB?

0

Are custom security policies available for AWS ALB?

ELBSecurityPolicy-FS-1-2-Res-2019-08 is the most restrictive security policy so far.

However, SSL scanners are complaining about CBC ciphers:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256

asked 4 years ago6083 views
8 Answers
0

Hi there!

Thank you for posting your question of concern here.

Application Load Balancers do not support custom security policies. Elastic Load Balancing provides the following security policies for Application Load Balancers:
• ELBSecurityPolicy-2016-08 (default)
• ELBSecurityPolicy-TLS-1-0-2015-04
• ELBSecurityPolicy-TLS-1-1-2017-01
• ELBSecurityPolicy-TLS-1-2-2017-01
• ELBSecurityPolicy-TLS-1-2-Ext-2018-06
• ELBSecurityPolicy-FS-2018-06
• ELBSecurityPolicy-FS-1-1-2019-08
• ELBSecurityPolicy-FS-1-2-2019-08
• ELBSecurityPolicy-FS-1-2-Res-2019-08
• ELBSecurityPolicy-2015-05 (identical to ELBSecurityPolicy-2016-08)

Use the following link to the AWS Documentation for reference, and also to configure them
[1]https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

You can alternatively use Classic Load Balancers where you can use either predefined or custom security policies, and for reference you can use this link.
[2]https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html

Hope this will answer you question of concern.

Thank you
TL

answered 4 years ago
0

hmmm....

None of those predefined security policies block/deny these ciphers:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256

answered 4 years ago
0

Hi there!

Thank you once again for further engagement, your concerns and questions are very important.

And to your question I can say yes, but in the predefined security policies, If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified here to negotiate connections between the client and load balancer.This ensures that the load balancer determines which cipher is used for SSL connection. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client.

In the Predefined SSL security policies take look at this document for reference and see their enabled SSL protocols and SSL ciphers.
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html

Thanks once again
TL

answered 4 years ago
0

Are there any plans to add another security policy to AWS ALB that will block the ciphers below?:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256

answered 4 years ago
0

Hello. We recently released this security policy: ELBSecurityPolicy-FS-1-2-Res-2020-10.

Julie

AWS
answered 4 years ago
0

Yes, this is what I needed.

Thank you!

answered 4 years ago
0

Even this has 1 weak cipher (128 bits) enabled..
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

answered 3 years ago
0

Even this has 1 weak cipher (128 bits) enabled..
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions