AWS elasticloadbalancing medium security documentation change
Summary
Updated certificate management procedures for TLS listeners, including revised UI navigation steps, explicit guidance on maintaining previous certificates for SNI/TLS session resumption, and warnings about disruption risks during certificate removal or security policy updates
Security assessment
Added explicit guidance about retaining previous certificates during rotation to maintain SNI compatibility and TLS session resumption capabilities prevents potential connection failures that could lead to service disruptions or insecure fallback behaviors. The warning about certificate removal impacts and security policy update disruptions helps prevent accidental misconfigurations that could break TLS handshakes.
Diff
diff --git a/elasticloadbalancing/latest/network/listener-update-certificates.md b/elasticloadbalancing/latest/network/listener-update-certificates.md index 91798dc48..b8789217f 100644 --- a//elasticloadbalancing/latest/network/listener-update-certificates.md +++ b//elasticloadbalancing/latest/network/listener-update-certificates.md @@ -36 +36 @@ You can replace the default certificate for your TLS listener using the followin - 3. Choose the name of the load balancer to open its detail page. + 3. Select the load balancer. @@ -38 +38 @@ You can replace the default certificate for your TLS listener using the followin - 4. On the **Listeners** tab, choose the text in the **Protocol:Port** column to open the detail page for the listener. + 4. On the **Listeners and rules** tab, choose the text in the **Protocol:Port** column to open the detail page for the listener. @@ -40 +40 @@ You can replace the default certificate for your TLS listener using the followin - 5. For **Default SSL certificate** , do one of the following: + 5. On the **Certificates** tab, choose **Change default**. @@ -42 +42 @@ You can replace the default certificate for your TLS listener using the followin - * If you created or imported a certificate using AWS Certificate Manager, choose **From ACM** and choose the certificate. + 6. Within the **ACM and IAM certificates** table, select a new default certificate. @@ -44 +44 @@ You can replace the default certificate for your TLS listener using the followin - * If you uploaded a certificate using IAM, choose **From IAM** and choose the certificate. + 7. (Optional) By default, we select **Add previous default certificate to listener certificate list**. We recommend that you keep this option selected, unless you currently have no listener certificates for SNI and rely on TLS session resumption. @@ -46 +46 @@ You can replace the default certificate for your TLS listener using the followin - 6. Choose **Save changes**. + 8. Choose **Save as default**. @@ -57 +57 @@ Use the [modify-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2 -You can add certificates to the certificate list for your listener using the following procedure. When you first create a TLS listener, the certificate list is empty. You can add one or more certificates. You can optionally add the default certificate to ensure that this certificate is used with the SNI protocol even if it is replaced as the default certificate. For more information, see [Certificate list](./tls-listener-certificates.html#sni-certificate-list). +You can add certificates to the certificate list for your listener using the following procedure. When you first create a TLS listener, the certificate list is empty. You can add the default certificate to the certificate list to ensure that this certificate is used with the SNI protocol even if it is replaced as the default certificate. For more information, see [Certificate list](./tls-listener-certificates.html#sni-certificate-list). @@ -69 +69,3 @@ You can add certificates to the certificate list for your listener using the fol - 5. Select the check box for the listener and choose **Actions** , **Add SSL certificates for SNI**. + 5. Choose the **Certificates** tab. + + 6. To add the default certificate to the list, choose **Add default to list** @@ -71 +73 @@ You can add certificates to the certificate list for your listener using the fol - 6. To add certificates that are already managed by ACM or IAM, select the check boxes for the certificates and choose **Include as pending below**. + 7. To add nondefault certificates to the list, do the following: @@ -73 +75 @@ You can add certificates to the certificate list for your listener using the fol - 7. If you have a certificate that isn't managed by ACM or IAM, choose **Import certificate** , complete the form, and choose **Import**. + 1. Choose **Add certificate**. @@ -75 +77,5 @@ You can add certificates to the certificate list for your listener using the fol - 8. Choose **Add pending certificates**. + 2. To add certificates that are already managed by ACM or IAM, select the check boxes for the certificates and choose **Include as pending below**. + + 3. To add a certificate that isn't managed by ACM or IAM, choose **Import certificate** , complete the form, and choose **Import**. + + 4. Choose **Add pending certificates**. @@ -86 +92,3 @@ Use the [add-listener-certificates](https://docs.aws.amazon.com/cli/latest/refer -You can remove certificates from the certificate list for a TLS listener using the following procedure. To remove the default certificate for a TLS listener, see Replace the default certificate. +You can remove certificates from the certificate list for a TLS listener using the following procedure. After you remove a certificate, the listener can no longer create connections using that certificate. To ensure that clients are not impacted, add a new certificate to the list and confirm that connections are working before you remove a certificate from the list. + +To remove the default certificate for a TLS listener, see Replace the default certificate. @@ -114,0 +123,2 @@ When you create a TLS listener, you can select the security policy that meets yo +Updating the security policy can result in disruptions if the load balancer is handling a high volume of traffic. To decrease the possibility of disruptions when your load balancer is handling a high volume of traffic, create an additional load balancer to help handle the traffic or request an LCU reservation. +