2016/03/01 - 10:30 AM PDT

 

We have reviewed the issues described in CVE-2016-0800, known as “DROWN,” and have determined that AWS Services are not affected. Amazon Elastic Load Balancer customers that have modified their default ELB configurations in order to explicitly accept SSLv2 should immediately follow the steps below to disable SSLv2 from their environment.

 

The following steps can be used to enable the AWS-recommended Predefined Security Policy via the AWS Console:

    1. Select your load balancer (EC2 > Load Balancers).

    2. In the Listeners tab, click "Change" in the Cipher column.

    3. Ensure that the radio button for "Predefined Security Policy" is selected

    4. In the dropdown, select the "ELBSecurityPolicy-2015-05" policy.

    5. Click "Save" to apply the settings to the listener.

    6. Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.

For more information, please see:

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-ssl-security-policy.html