AWS Load Balancer is not using TLS 1.2
Description
This policy ensures that the Load Balancer Listener is using at least TLS v1.2. TLS (Transport Layer Security) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party can eavesdrop or tamper with any message. This check validates that ElasticLoadBalancing V2 Listener is using at least TLS v1.2 to maintain strong security standards.
Code Example
go
resource "aws_lb_listener" "example" {
load_balancer_arn = aws_lb.example.arn
protocol = "HTTPS"
port = "443"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.example.arn
}
}Remediation
Terraform
To fix this issue, you should ensure that your load balancer listener configuration has the `ssl_policy` property set to at least TLS v1.2. Below is an example of how to set this property in a Terraform configuration:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0156 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_103 |