ELBv2 Insecure SSL Ciphers
Overview
This check verifies that your Application Load Balancers (ALB) and Network Load Balancers (NLB) use secure SSL/TLS security policies on their HTTPS listeners. A security policy determines which encryption protocols and ciphers are used when negotiating secure connections between clients and your load balancer.
Risk
Using outdated or weak SSL/TLS security policies exposes your application to several threats:
- Downgrade attacks: Attackers can force connections to use weaker encryption
- Data interception: Weak ciphers can be broken, allowing eavesdropping on sensitive traffic
- Credential theft: Authentication tokens and session cookies may be exposed
- Compliance violations: Many security standards require TLS 1.2 or higher
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify load balancer listeners
- Know which load balancer(s) have failing HTTPS listeners
How to find affected load balancers
Run Prowler to identify which load balancers are using insecure SSL policies:
prowler aws --check elbv2_insecure_ssl_ciphers --region us-east-1
The output will list each affected listener with its current security policy.
AWS Console Method
- Open the EC2 Console
- In the left navigation, click Load Balancers (under "Load Balancing")
- Select the load balancer you need to update
- Click the Listeners tab
- Find the HTTPS listener (typically port 443)
- Click Edit (or select the listener and click Actions > Edit listener)
- In the Security policy dropdown, select a secure policy:
- Recommended:
ELBSecurityPolicy-TLS13-1-2-2021-06(supports TLS 1.2 and 1.3) - Alternative:
ELBSecurityPolicy-TLS-1-2-2017-01(TLS 1.2 only)
- Recommended:
- Click Save changes
Repeat for each HTTPS listener that needs updating.
AWS CLI (optional)
Update a Listener's Security Policy
aws elbv2 modify-listener \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/0467ef3c8400ae65 \
--ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \
--region us-east-1
Replace:
arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/...with your listener ARN
Find Your Listener ARNs
First, list your load balancers:
aws elbv2 describe-load-balancers --region us-east-1 \
--query 'LoadBalancers[*].[LoadBalancerName,LoadBalancerArn]' \
--output table
Then list listeners for a specific load balancer:
aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \
--region us-east-1 \
--query 'Listeners[*].[Protocol,Port,SslPolicy,ListenerArn]' \
--output table
CloudFormation (optional)
HTTPS Listener with Secure SSL Policy
AWSTemplateFormatVersion: '2010-09-09'
Description: ALB HTTPS Listener with secure SSL policy
Parameters:
LoadBalancerArn:
Type: String
Description: ARN of the existing load balancer
TargetGroupArn:
Type: String
Description: ARN of the target group
CertificateArn:
Type: String
Description: ARN of the ACM certificate
Resources:
SecureHTTPSListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref LoadBalancerArn
Port: 443
Protocol: HTTPS
SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
Certificates:
- CertificateArn: !Ref CertificateArn
DefaultActions:
- Type: forward
TargetGroupArn: !Ref TargetGroupArn
Outputs:
ListenerArn:
Description: ARN of the HTTPS listener
Value: !Ref SecureHTTPSListener
Deploy the Template
aws cloudformation deploy \
--template-file https-listener.yaml \
--stack-name secure-https-listener \
--parameter-overrides \
LoadBalancerArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/50dc6c495c0c9188 \
TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 \
CertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc12345-1234-1234-1234-abc123456789 \
--region us-east-1
Terraform (optional)
HTTPS Listener Resource
resource "aws_lb_listener" "https" {
load_balancer_arn = aws_lb.main.arn
port = 443
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
certificate_arn = aws_acm_certificate.main.arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.main.arn
}
}
Update Existing Listener
If you have an existing listener, update the ssl_policy attribute:
resource "aws_lb_listener" "https" {
# ... existing configuration ...
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" # Updated policy
# ... rest of configuration ...
}
Apply Changes
terraform plan
terraform apply
Verification
After making changes, verify the security policy is updated:
- In the EC2 Console, go to Load Balancers
- Select your load balancer and click the Listeners tab
- Confirm the Security policy column shows
ELBSecurityPolicy-TLS13-1-2-2021-06(or your chosen secure policy)
CLI verification
aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \
--region us-east-1 \
--query 'Listeners[?Protocol==`HTTPS`].[Port,SslPolicy]' \
--output table
Re-run the Prowler check to confirm the issue is resolved:
prowler aws --check elbv2_insecure_ssl_ciphers --region us-east-1
Additional Resources
- AWS Application Load Balancer Security Policies
- AWS Network Load Balancer Security Policies
- TLS Security Best Practices
Notes
- No downtime: Changing the SSL policy does not interrupt existing connections
- Client compatibility: Ensure your clients support TLS 1.2 or higher before upgrading. Most modern browsers and applications do, but legacy systems may not
- Policy naming: AWS security policy names follow patterns like
ELBSecurityPolicy-TLS13-1-2-2021-06where:TLS13-1-2means it supports TLS 1.3 and 1.22021-06is the policy version date
- Network Load Balancers: Use the same security policies as ALBs for TLS listeners
- FIPS compliance: If you require FIPS 140-2 validated cryptographic modules, use
ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04