- Newest
- Most votes
- Most comments
It all depends on what your security posture is with TLS versions and Encryption Ciphers. You can test your ALB using this website which will give you a score based on your current configuration https://www.ssllabs.com/ssltest/
NOTE: Tick Do not show on public boards
The Higher the TLS the more secure. 1.2 and 1.3 are the main standards today. A lot of those Ciphers are now weak and are seen as bad.
Personally I would be looking at ELBSecurityPolicy-FS-1-2-Res-2020-10 or ELBSecurityPolicy-TLS-1-2-2017-01 if you don’t need forward secrecy.
When you force a higher TLS and remove supported Ciphers, watch out for OLD Browsers/Operating systems and Applications that have not been upgraded to support the newer ciphers etc. Its unlikely today but they would experience TLS Issues when connecting and will fail if they do not support the increased TLS Settings.
Use that SSL Labs to check the results after changing but I personally would go for ELBSecurityPolicy-FS-1-2-Res-2020-10 if you NEED FS or the TLS-1-2-2017-01 if not. You can also check here for details on ciphers.. https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384/
Hope this helps
I have upgraded TLS to the latest version ELBSecurityPolicy-FS-1-2-Res-2020-10 on AWS ALBs but not sure how to test the new version to ensure it has no impact from the clients?
Relevant content
- Accepted Answerasked 2 years ago
- asked 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
Hi Gary, thank you very much for the detailed information. This looks really good to me.
Any other questions, fire away... Be sure to accept the answer if satisfactory to help others and me.. Thanks