AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-02-27 · Documentation low

File: securityhub/latest/userguide/elb-controls.md

Summary

Added new control [ELB.17] requiring Application and Network Load Balancers to use recommended security policies for HTTPS/TLS listeners

Security assessment

The change adds documentation about using recommended security policies for load balancers, which is a security best practice but does not address a specific security vulnerability or incident.

Diff

diff --git a/securityhub/latest/userguide/elb-controls.md
index 4db0e4424..3ca1dd907 100644
--- a/securityhub/latest/userguide/elb-controls.md
+++ b/securityhub/latest/userguide/elb-controls.md
@@ -5 +5 @@
-[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination[ELB.4] Application Load Balancer should be configured to drop invalid http headers[ELB.5] Application and Classic Load Balancers logging should be enabled[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled[ELB.7] Classic Load Balancers should have connection draining enabled[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled[ELB.10] Classic Load Balancer should span multiple Availability Zones[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL
+[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination[ELB.4] Application Load Balancer should be configured to drop invalid http headers[ELB.5] Application and Classic Load Balancers logging should be enabled[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled[ELB.7] Classic Load Balancers should have connection draining enabled[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled[ELB.10] Classic Load Balancer should span multiple Availability Zones[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode[ELB.16] Application Load Balancers should be associated with an AWS WAF web ACL[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies
@@ -435,0 +436,24 @@ To associate an Application Load Balancer with a web ACL, see [Associating or di
+## [ELB.17] Application and Network Load Balancers with listeners should use recommended security policies
+
+**Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6)
+
+**Category:** Protect > Data Protection > Encryption of data-in-transit
+
+**Severity:** Medium
+
+**Resource type:** `AWS::ElasticLoadBalancingV2::Listener`
+
+**AWS Config rule:** [elbv2-predefined-security-policy-ssl-check](https://docs.aws.amazon.com/config/latest/developerguide/elbv2-predefined-security-policy-ssl-check.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:** `sslPolicies`: `ELBSecurityPolicy-TLS13-1-2-2021-06`, `ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04`, `ELBSecurityPolicy-TLS13-1-3-2021-06`, `ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04` (not customizable)
+
+This control checks whether the HTTPS listener for an Application Load Balancer or the TLS listener for a Network Load Balancer is configured to encrypt data in transit by using a recommended security policy. The control fails if the HTTPS or TLS listener for a load balancer isn't configured to use a recommended security policy.
+
+Elastic Load Balancing uses an SSL negotiation configuration, known as a _security policy_ , to negotiate connections between a client and a load balancer. The security policy specifies a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server. A cipher is an encryption algorithm that uses encryption keys to create a coded message. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. Using a recommended security policy for a load balancer can help you meet compliance and security standards.
+
+### Remediation
+
+For information about recommended security policies and how to update listeners, see the following sections of the _Elastic Load Balancing User Guides_ : [Security policies for Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html), [Security policies for Network Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html), [Update an HTTPS listener for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html), and [Update a listener for your Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/listener-update-rules.html).
+