Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · ELB

ELB.8: CLB SSL listeners should use strong policy

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub ELB.8 check?

ELB.8 fails when a Classic Load Balancer's SSL listener uses a custom or outdated security policy rather than the predefined ELBSecurityPolicy-TLS-1-2-2017-01 policy that Security Hub treats as the strong baseline.

Why does ELB.8 matter?

A weak CLB security policy can still negotiate TLS 1.0/1.1 and obsolete ciphers, leaving clients exposed to downgrade and known cipher attacks. The recommended TLS 1.2 policy drops the weak protocols and cipher suites while remaining compatible with essentially every current client. The only things that lose connectivity are very old devices nobody is realistically using.

How do I fix ELB.8?

  1. List CLB SSL listeners and read their policy with describe-load-balancer-policies.
  2. Apply ELBSecurityPolicy-TLS-1-2-2017-01 with set-load-balancer-policies-of-listener; the change takes effect on new handshakes with no downtime.
  3. Verify legitimate clients can still negotiate TLS 1.2 before removing the old policy.
  4. Default the strong policy in your IaC so new load balancers ship compliant.

Remediation script · bash

# 1. Create the HTTPS listener with the issued ACM cert and a strong TLS policy.
aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/app/marketing-www/abc123 \
  --protocol HTTPS --port 443 \
  --certificates CertificateArn=arn:aws:acm:eu-west-1:123456789012:certificate/d4f8c1a2 \
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:eu-west-1:123456789012:targetgroup/marketing-www/tg789

# 2. Convert the existing HTTP listener into a 301 redirect to HTTPS (preserves the URL).
aws elbv2 modify-listener \
  --listener-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:listener/app/marketing-www/abc123/def456 \
  --default-actions 'Type=redirect,RedirectConfig={Protocol=HTTPS,Port=443,Host="#{host}",Path="/#{path}",Query="#{query}",StatusCode=HTTP_301}'

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on load balancer listeners.

Full lesson Enforce TLS on load balancer listeners Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for ELB controls ↗ Check your own account for ELB.8 →
Part of the learning path Encrypt everything

More ELB controls

  • ELB.1 ALB serves HTTP without redirecting to HTTPS
  • ELB.2 CLB SSL/HTTPS listeners should use ACM certs
  • ELB.3 CLB listeners should use HTTPS/TLS termination
  • ELB.4 ALB accepts malformed HTTP headers
  • ELB.5 Load balancers are not writing access logs
  • ELB.6 Load balancers can be deleted by accident
  • ELB.7 CLBs should have connection draining
  • ELB.9 CLBs should have cross-zone balancing
  • ELB.10 CLBs should span multiple AZs
  • ELB.12 ALB desync mitigation mode
  • ELB.13 A single-AZ load balancer is a data-plane single point of failure
  • ELB.14 CLB desync mitigation mode