- GG_ID: GG_IAC_0012
- Severity: HIGH
- Complexity: LOW
- Categories: NETWORK
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: True
- Privileges required: False
Outdated TLS policies (version 1.0 and 1.1) rely on insecure cipher suites (SHA-1 and MD5), and are subject to a range of well known attack. Note that TLS 1.0 and 1.1 have been deprecated on March 25, 2021.
Allowing such policies can allow attacker to break the encryption, decrypt the traffic, and perform man-in-the-middle attacks.
- Data, credential leak.
- Man-in-the-middle attacks.
- Use the default security policy on the load balancer TLS listeners (AWS recommendation).
- If you need to specify a specific security policy, do not use TLS 1.0 or 1.1.
Note that this implies that the clients connecting to your endpoint must support TLS version 1.2 or above.