Skip to content

An outdated SSL policy is in use by a load balancer.

Default Severity: critical

Explanation

You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

Possible Impact

The SSL policy is outdated and has known vulnerabilities

Suggested Resolution

Use a more recent TLS/SSL policy for the load balancer

Insecure Example

The following example will fail the aws-elb-use-secure-tls-policy check.

 resource "aws_alb_listener" "bad_example" {
    ssl_policy = "ELBSecurityPolicy-TLS-1-1-2017-01"
    protocol = "HTTPS"
 }

Secure Example

The following example will pass the aws-elb-use-secure-tls-policy check.

 resource "aws_alb_listener" "good_example" {
    ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
    protocol = "HTTPS"
 }