DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Terraform

Terraform

Made by DeepSource
Use Analyzer

An outdated SSL policy is in use by a load balancer TF-AWS010

Security
Critical

It is not recommended to use outdated/insecure TLS versions for encryption.

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of SSL protocols, SSL ciphers, and the Server Order Preference option. Using outdated security policies pose a security risk to your infrastructure, and hence must be updated regularly.

Refer to https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html for the latest predefined set of SSL security policies. This issue is currently raised for TLS <= v1.2. Upgrading it to v1.2+ is recommended.

Examples

Bad practice

resource "aws_alb_listener" "my-resource" {
    ssl_policy = "ELBSecurityPolicy-TLS-1-1-2017-01"
    protocol = "HTTPS"
}

Recommended

resource "aws_alb_listener" "my-resource" {
    ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
    protocol = "HTTPS"
}

References