AWS Config Rule: ELB Predefined Security Policy SSL Check

Description: Checks whether your Classic Load Balancer SSL listeners are using a predefined policy. The rule is only applicable if there are SSL listeners for the Classic Load Balancer.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Africa (Cape Town), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), Europe (Spain), Europe (Zurich) Region

This AWS Config Rule will check to see if your Classic Load Balancer's SSL Listener is using a specific policy. For this configuration, we are passing the parameter "ELBSecurityPolicy-TLS-1-2-2017-01" which means we will mark any CLB with this particular predefined security policy applied to the SSL Listener as COMPLIANT. Any other configuration which makes use of a less secure Predefined Security Policy will be marked as NON-COMPLIANT.

In order to check this and resolve it for your Classic Load Balancer, head on over first to your EC2 Dashboard and select Load Balancers.

From here, choose your Classic Load Balancer you want to resolve. Under Security Settings you will see an option to select one of the many Predefined Security Policies on offer from AWS. We want to choose the one selected in the image in order to be compliant with this particular configuration of this AWS Config Rule.

ELBSecurityPolicy-TLS-1-2-2017-01 is the most secure policy at the time of writing as it rejects TLS v1 and TLS v1.1

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here