We're trying for PCI compliance on a load balanced EC2 instance on AWS. One issue we have to resolve is our load balancer accepts weak ciphers. However, ELB doesn't support the cipher suite, so I have to manually set each cipher one by one. Problem is, I can't find a list of what qualifies as a strong cipher. For example, which ciphers does this setting translate to:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
It's surprisingly hard to find this information, and amazon doesn't have a default PCI compliant setting (which seems so silly - they have two default policies, why not have a third called "Strong PCI" or something).
We recommend the default predefined security policy, ELBSecurityPolicy-2016-08 , for compatibility. You can use one of the ELBSecurityPolicy-TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions. Alternatively, you can create a custom security policy.
You can now create a highly scalable, load-balanced web site using multiple Amazon EC2 instances, and you can easily arrange for the entire HTTPS encryption and decryption process (generally known as SSL termination) to be handled by an Elastic Load Balancer.
The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary is available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports.
Update/Hint: Please make sure to read Seamus' follow up comments as well to ease your way towards PCI certification of an ELB setup, insofar picking the correct SSL ciphers turned out to be one part of the puzzle only.
Quite a puzzle - a default PCI compliant Elastic Load Balancing (ELB) setting would be extremely helpful indeed ;)
You can find all these tags deciphered in the Apache documentation of the SSLCipherSuite directive, e.g.:
This should allow you to translate them to the respective ELB settings as discussed in Creating a Load Balancer With SSL Cipher Settings and Back-end Server Authentication and Configuring SSL Ciphers specifically.
Good luck!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With