Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Which SSL ciphers for PCI compliance on Amazon AWS ELB?

Tags:

amazon-web-services

amazon-elb

pci-compliance

We're trying for PCI compliance on a load balanced EC2 instance on AWS. One issue we have to resolve is our load balancer accepts weak ciphers. However, ELB doesn't support the cipher suite, so I have to manually set each cipher one by one. Problem is, I can't find a list of what qualifies as a strong cipher. For example, which ciphers does this setting translate to:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

It's surprisingly hard to find this information, and amazon doesn't have a default PCI compliant setting (which seems so silly - they have two default policies, why not have a third called "Strong PCI" or something).

like image 907
Seamus James Avatar asked Feb 23 '12 18:02

Seamus James

People also ask

What SSL policy should I use?

We recommend the default predefined security policy, ELBSecurityPolicy-2016-08 , for compatibility. You can use one of the ELBSecurityPolicy-TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions. Alternatively, you can create a custom security policy.

Does AWS Elastic Load Balancer supports SSL termination?

You can now create a highly scalable, load-balanced web site using multiple Amazon EC2 instances, and you can easily arrange for the entire HTTPS encryption and decryption process (generally known as SSL termination) to be handled by an Elastic Load Balancer.

Which AWS service provides compliance related information such as PCI DSS standards?

The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary is available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports.

Video Answer

1 Answers

Update/Hint: Please make sure to read Seamus' follow up comments as well to ease your way towards PCI certification of an ELB setup, insofar picking the correct SSL ciphers turned out to be one part of the puzzle only.

Quite a puzzle - a default PCI compliant Elastic Load Balancing (ELB) setting would be extremely helpful indeed ;)

You can find all these tags deciphered in the Apache documentation of the SSLCipherSuite directive, e.g.:

  • !aNULL - not No authentication
  • !ADH - not all ciphers using Anonymous Diffie-Hellman key exchange
  • !eNULL - not No encoding
  • ...

This should allow you to translate them to the respective ELB settings as discussed in Creating a Load Balancer With SSL Cipher Settings and Back-end Server Authentication and Configuring SSL Ciphers specifically.

Good luck!

like image 83
Steffen Opel Avatar answered Nov 05 '22 02:11

Steffen Opel
Sign in to Comment

Related questions

S3 static website /w bluegreen deployment
AWS step-function mapState iterate over large payloads
AWS: Delete lambda layer still retains layer version history
How can I assign bucket-owner-full-control when creating an S3 object with boto3?
Unable to create cluster. VPC is greyed out when launching Redshift Cluster
Error while doing IdP initiated login using AWS Cognito
CloudWatch Alarm Percentage of errors API Gateway
How to install awscli version 2 on raspberry pi
Create AWS Lambda Function using Boto3 Python Code?
Associate AWS WAFv2 web acl to ApiGatewayV2
Application Load Balancer with ECS Fargate
GitLab Ci/Cd to Amazon LightSail
How to mock AmazonSQS in unit test to not make a call to SQS?
aws cdk push image to ecr
Hosting rails on ec2
Pinging a Node.js server from PHP on AWS
Using MySQL triggers in AWS to empty cache on updates and inserts
How do I configure multiple ssh access to an EC2 instance
Sequence constraints of product feeds for Amazon MWS
Looking for an Amazon SES example sending a raw mail including attachment

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!