If check any of a freshly created AWS Application LoadBalancer with a certificate from the AWS Certificate Manager, and with an HTTPS Listener’s default settings you’ll see the B grade:
The main point of the SSL Labs is the support of the deprecated encryption versions – TLS 1.0 and 1.1.
Contents
AWS LoadBalancer SecurityPolicy and TLS versions
Versions that will be supported by your AWS Application Loadbalacner are defined in the SecurityPolicy:
You can find a full list of the policies in the documentation>>>, and there you’ll find the default one – ELBSecurityPolicy-2016-08, that comes with the TLS 1.0/1.1 support:
So, to disable these versions, we need to change the policy used for an Application LoadBalancer.
Let’s do it manually, and then check a new grade.
Chose a 443 port’s Listener, click Edit:
Chose the ELBSecurityPolicy-TLS-1-2-2017-01:
Check SSL Report one more time:
Kubernetes, and AWS ALB Controller
If your AWS LoadBalancers are created with the AWS Load Balancer Controller, as we do, then you can set a necessary Policy via its annotations, specifically by using the alb.ingress.kubernetes.io/ssl-policy annotation:
--- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: test-ingress namespace: test-namespace annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]' alb.ingress.kubernetes.io/inbound-cidrs: 0.0.0.0/0 alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-east-2:534***385:certificate/7b594eee-3dc0-424f-a6c0-2c1b14113602" alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-TLS-1-2-2017-01" ...
AWS LoadBalancer, and TLS 1.3
As for the TLS 1.3 support, at the moment of this post writing (September 2021) it’s now supported by the AWS yet.
Here is a reply from the Tech. Support:
Kindly note please that currently, ALB/CLB does not support TLS 1.3, but according to AWS ELB team this is already a very popular feature request for which we have received multiple customer cases.We also have an internal ticket tracking this feature request, and I have added your case as well to the request to add more customer sentiment. Hopefully this will be implemented soon. However, I am not able to provide an ETA at the moment as AWS Support are not privy to development roadmap.
Done.