AWS: disable TLS 1.0 and TLS 1.1 for Application LoadBalancer

By | 09/27/2021
 

If check any of a freshly created AWS Application LoadBalancer with a certificate from the AWS Certificate Manager, and with an HTTPS Listener’s default settings you’ll see the B grade:

The main point of the SSL Labs is the support of the deprecated encryption versions – TLS 1.0 and 1.1.

AWS LoadBalancer SecurityPolicy and TLS versions

Versions that will be supported by your AWS Application Loadbalacner are defined in the SecurityPolicy:

You can find a full list of the policies in the documentation>>>, and there you’ll find the default one – ELBSecurityPolicy-2016-08, that comes with the TLS 1.0/1.1 support:

So, to disable these versions, we need to change the policy used for an Application LoadBalancer.

Let’s do it manually, and then check a new grade.

Chose a 443 port’s Listener, click Edit:

Chose the ELBSecurityPolicy-TLS-1-2-2017-01:

Check SSL Report one more time:

Kubernetes, and AWS ALB Controller

If your AWS LoadBalancers are created with the AWS Load Balancer Controller, as we do, then you can set a necessary Policy via its annotations, specifically by using the alb.ingress.kubernetes.io/ssl-policy annotation:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  namespace: test-namespace
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
    alb.ingress.kubernetes.io/inbound-cidrs: 0.0.0.0/0
    alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-east-2:534***385:certificate/7b594eee-3dc0-424f-a6c0-2c1b14113602"
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
...

AWS LoadBalancer, and TLS 1.3

As for the TLS 1.3 support, at the moment of this post writing (September 2021) it’s now supported by the AWS yet.

Here is a reply from the Tech. Support:

Kindly note please that currently, ALB/CLB does not support TLS 1.3, but according to AWS ELB team this is already a very popular feature request for which we have received multiple customer cases.We also have an internal ticket tracking this feature request, and I have added your case as well to the request to add more customer sentiment. Hopefully this will be implemented soon. However, I am not able to provide an ETA at the moment as AWS Support are not privy to development roadmap.

Done.