AWS Official Blog

Elastic Load Balancing – Perfect Forward Secrecy and Other Security Enhancements

by Jeff Barr | on | in Amazon EC2, Amazon Elastic Load Balancer | | Comments

My colleague Lesley Mbogo has some good news for users of the AWS Elastic Load Balancing service.

— Jeff;

We have made several enhancements to Elastic Load Balancing (ELB) to further improve the security of your application traffic, making it easier for you to better protect the confidential data and privacy of your users.

Today, website operators are expanding encryption across their applications and are often using HTTPS by default to secure all web traffic. As this trend continues, many AWS customers will rely on ELB to terminate HTTPS/SSL traffic at the load balancer in order to avoid having to run the CPU-intensive decryption process on their EC2 instances:

Last year, we added support for the TLS 1.1 and 1.2 protocols, the latest industry standards for encrypted communication. We are now adding three new features to help you manage secure communications for your applications:

  • Support for Perfect Forward Secrecy
  • Server Order Preference
  • A New predefined security policy

Support for Perfect Forward Secrecy
Since privacy protection is becoming increasingly important, we have added support for Perfect Forward Secrecy. This security feature uses a derived session key to provide additional safeguards against the eavesdropping of encrypted data. This prevents the decoding of captured data, even if the secret long-term key is compromised.

To begin using Perfect Forward Secrecy, configure your load balancer with the newly added Elliptic Curve Cryptography (ECDHE) cipher suites. Most major browsers now support these newer and more secure cipher suites. Our next feature enables your load balancer to prefer using these stronger cipher suites for communication.

Server Order Preference
When establishing a secure connection, the server and client must agree on a common cipher suite from a prioritized list of ciphers that they both support. Given that some clients may have unsafe or outdated preferences, the load balancer can be configured to have the final say in the selected cipher suite.

By enabling the Server Order Preference feature, the load balancer will select a cipher suite based on the servers prioritization of cipher suites rather than the clients. This gives you more control over the level of security that clients use to connect to your load balancer.

New Predefined Security Policy
We know that configuring SSL parameters for secure connections can be a complicated process, involving selection of protocols, cipher suites, and other options. Choosing the right set of parameters requires you to strike a reasonable balance between security and compatibility; you want to achieve high security using newer protocols, but avoid ungracefully rejecting clients that may only support older and less secure ciphers, as many clients do today.

We have made it simpler for you to configure your load balancer by combining all the new security features announced today into a predefined security policy that adheres to AWS security best practices. The policy includes the latest security protocols (TLS 1.1 and 1.2), enables server order preference, and offers high security ciphers while maintaining compatibility with a wide range of clients.

Getting started is easy. Simply use the AWS Management Console to select ELBSecurityPolicy-2014-01:

If you prefer to manually choose ciphers and protocols, you can continue to use a Custom Security Policy.

Lastly, we have also simplified the CLI (and API) so that you can reference any of the predefined security policies such as the ELBSecurityPolicy-2014-01. Previously, you could only emulate the predefined security policy by enumerating each SSL attribute and setting its value.

$ elb-create-lb-policy  myELBName        \
  --policy-type SSLNegotiationPolicyType \
  --policy-name=mySSLPolicyName        \
  --attribute "name=Reference-Security-Policy, value=ELBSecurityPolicy-2014-01"

$ elb-set-lb-policies-of-listener  myELBName \
  --lb-port 443 \
  --policy-names mySSLPolicyName,[PolicyName2,...]

To learn more about the new SSL enhancements, visit the Elastic Load Balancing Developer Guide.

— Lesley Mbogo, Senior Product Manager