ELBv2 load balancer uses a secure SSL policy on HTTPS listeners
elbv2_insecure_ssl_ciphers
ELBv2 HTTPS listeners are assessed for use of strong TLS policies. Listeners whose ssl_policy is not in the approved set (TLS 1.2/1.3-focused policies) may include weak protocols or ciphers.
Risk
Legacy or weak ciphers enable downgrade and man-in-the-middle attacks, allowing decryption of sessions, credential theft, and request tampering. This undermines confidentiality and integrity of data in transit and can expose cookies or tokens for account takeover.
prowler aws --checks elbv2_insecure_ssl_ciphers
Recommendation
Enforce modern TLS on load balancer listeners:
- Use AWS recommended policies like
ELBSecurityPolicy-TLS13-1-2-2021-06 - Disable TLS 1.0/1.1 and weak ciphers; prefer suites with forward secrecy
- Periodically review and update policies
Apply defense in depth with strict client access and least privilege for changes.
Remediation
aws elbv2 modify-listener --listener-arn <listener_arn> --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06
- In the AWS Console, go to EC2 > Load Balancers
- Select the load balancer and open the Listeners tab
- Select the HTTPS listener and choose Edit
- Set Security policy to ELBSecurityPolicy-TLS13-1-2-2021-06 (or any approved policy)
- Save changes
Source Code
Resource Type
AwsElbv2LoadBalancer