Custom security policies for AWS ALB?

Hi there!

Thank you for posting your question of concern here.

Application Load Balancers do not support custom security policies. Elastic Load Balancing provides the following security policies for Application Load Balancers:
• ELBSecurityPolicy-2016-08 (default)
• ELBSecurityPolicy-TLS-1-0-2015-04
• ELBSecurityPolicy-TLS-1-1-2017-01
• ELBSecurityPolicy-TLS-1-2-2017-01
• ELBSecurityPolicy-TLS-1-2-Ext-2018-06
• ELBSecurityPolicy-FS-2018-06
• ELBSecurityPolicy-FS-1-1-2019-08
• ELBSecurityPolicy-FS-1-2-2019-08
• ELBSecurityPolicy-FS-1-2-Res-2019-08
• ELBSecurityPolicy-2015-05 (identical to ELBSecurityPolicy-2016-08)

Use the following link to the AWS Documentation for reference, and also to configure them
[1]https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

You can alternatively use Classic Load Balancers where you can use either predefined or custom security policies, and for reference you can use this link.
[2]https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html

Hope this will answer you question of concern.

Thank you
TL

hmmm....

None of those predefined security policies block/deny these ciphers:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256

Hi there!

Thank you once again for further engagement, your concerns and questions are very important.

And to your question I can say yes, but in the predefined security policies, If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified here to negotiate connections between the client and load balancer.This ensures that the load balancer determines which cipher is used for SSL connection. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client.

In the Predefined SSL security policies take look at this document for reference and see their enabled SSL protocols and SSL ciphers.
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html

Thanks once again
TL

Are there any plans to add another security policy to AWS ALB that will block the ciphers below?:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256

Hello. We recently released this security policy: ELBSecurityPolicy-FS-1-2-Res-2020-10.

Julie

Yes, this is what I needed.

Thank you!

Even this has 1 weak cipher (128 bits) enabled..
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

Even this has 1 weak cipher (128 bits) enabled..
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.