AWS Application Load Balancer (ALB) listeners configured with SSL policies that allow weak TLS versions (1.0 and 1.1) or outdated cipher suites, exposing client connections to downgrade attacks, man-in-the-middle attacks, and eavesdropping. Weak TLS protocols have known cryptographic vulnerabilities that can be exploited to intercept or decrypt data in transit.
# VULNERABLE: ALB listeners with weak SSL policies
resource "aws_lb" "application_load_balancer" {
name = "production-alb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.alb_sg.id]
subnets = aws_subnet.public[*].id
}
# VULNERABLE: HTTPS listener with legacy SSL policy
resource "aws_lb_listener" "https_listener" {
load_balancer_arn = aws_lb.application_load_balancer.arn
port = "443"
protocol = "HTTPS"
certificate_arn = aws_acm_certificate.ssl_cert.arn
# VULNERABLE: Allows TLS 1.0/1.1
ssl_policy = "ELBSecurityPolicy-2016-08"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.app_targets.arn
}
}
# VULNERABLE: No SSL policy specified (uses default)
resource "aws_lb_listener" "default_https" {
load_balancer_arn = aws_lb.application_load_balancer.arn
port = "8443"
protocol = "HTTPS"
certificate_arn = aws_acm_certificate.api_cert.arn
# VULNERABLE: No ssl_policy - uses AWS default
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.api_targets.arn
}
}# SECURE: ALB listeners with modern TLS policies
resource "aws_lb" "application_load_balancer" {
name = "production-alb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.alb_sg.id]
subnets = aws_subnet.public[*].id
drop_invalid_header_fields = true
}
# SECURE: HTTPS listener with modern SSL policy
resource "aws_lb_listener" "https_listener_secure" {
load_balancer_arn = aws_lb.application_load_balancer.arn
port = "443"
protocol = "HTTPS"
certificate_arn = aws_acm_certificate.ssl_cert.arn
# SECURE: Enforces TLS 1.2+ with modern ciphers
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.app_targets.arn
}
}
# SECURE: Alternative secure policy
resource "aws_lb_listener" "api_https_secure" {
load_balancer_arn = aws_lb.application_load_balancer.arn
port = "8443"
protocol = "HTTPS"
certificate_arn = aws_acm_certificate.api_cert.arn
ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.api_targets.arn
}
}
# SECURE: HTTP to HTTPS redirect
resource "aws_lb_listener" "http_redirect" {
load_balancer_arn = aws_lb.application_load_balancer.arn
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}The vulnerable configuration uses legacy SSL policies (ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-0-2015-04) that allow weak TLS versions 1.0 and 1.1, or omits the ssl_policy entirely. The secure version uses modern policies like ELBSecurityPolicy-TLS13-1-2-2021-06 that enforce TLS 1.2+ with strong cipher suites and Forward Secrecy, and includes HTTP to HTTPS redirect.
Application Load Balancer HTTPS listeners using AWS default SSL policies or legacy policies that haven't been updated. Default policies may support outdated TLS versions for backwards compatibility, exposing connections to protocol downgrade attacks.
Sourcery automatically identifies weak tls versions in alb listener and many other security issues in your codebase.