Updates SSL Policies for ELB & ALB

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer.

Moving to ELBSecurityPolicy-FS-1-2-Res-2020-10 will only allow:
TLS Protocols - Protocol-TLSv1.2 only

TLS Ciphers - ECDHE-ECDSA-AES128-GCM-SHA256 / ECDHE-RSA-AES128-GCM-SHA256 / ECDHE-ECDSA-AES256-GCM-SHA384 / ECDHE-RSA-AES256-GCM-SHA384

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

base/customer_portal/elb.tf

@@ -47,7 +47,7 @@ resource "aws_alb_listener" "portal_https" {
   load_balancer_arn = aws_alb.portal.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert.arn
 
   default_action {

base/nessus/instance_security_center/elb.tf

@@ -55,7 +55,7 @@ resource "aws_alb_listener" "security_center_https_internal" {
   load_balancer_arn = aws_alb.security_center_internal.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_private.arn
 
   default_action {

base/openvpn/elb.tf

@@ -22,7 +22,7 @@ resource "aws_lb_listener" "openvpn-nlb-listener-https" {
   load_balancer_arn = aws_lb.openvpn-nlb.arn
   port              = "443"
   protocol          = "TLS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert.arn
 
   default_action {

base/phantom/alb.tf

@@ -56,7 +56,7 @@ resource "aws_alb_listener" "phantom_https_internal" {
   load_balancer_arn = aws_alb.phantom_internal.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_private.arn
 
   default_action {

base/sensu/private_elb.tf

@@ -65,7 +65,7 @@ resource "aws_alb_listener" "sensu_internal" {
   load_balancer_arn = aws_alb.sensu_internal.arn
   port              = each.value
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert.arn
 
   default_action {

base/splunk_servers/alsi/elb-elastic.tf

@@ -24,7 +24,7 @@ resource "aws_lb_listener" "alsi-alb-elastic-listener-https" {
   load_balancer_arn = aws_lb.alsi-alb-elastic[count.index].arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_elastic[count.index].arn
 
   default_action {

base/splunk_servers/alsi/elb-hec.tf

@@ -24,7 +24,7 @@ resource "aws_lb_listener" "alsi-alb-hec-listener-https" {
   load_balancer_arn = aws_lb.alsi-alb-hec[count.index].arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_hec[count.index].arn
 
   default_action {

base/splunk_servers/alsi/elb-master.tf

@@ -21,7 +21,7 @@ resource "aws_lb_listener" "alsi-master-alb-listener-https" {
   load_balancer_arn = aws_lb.alsi-master-alb.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_master.arn
 
   default_action {

base/splunk_servers/customer_searchhead/elb.tf

@@ -35,7 +35,7 @@ resource "aws_lb_listener" "searchhead-alb-listener-https" {
   load_balancer_arn = aws_lb.searchhead-alb.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert.arn
 
   default_action {

base/splunk_servers/indexer_cluster/elb-private.tf

@@ -77,7 +77,7 @@ resource "aws_lb_listener" "hec_pvt_443" {
   load_balancer_arn = aws_lb.hec_pvt[0].arn
   port              = 443
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.hec_pvt_cert[0].arn
   default_action {
     type             = "forward"
@@ -91,7 +91,7 @@ resource "aws_lb_listener" "hec_pvt_8088" {
   load_balancer_arn = aws_lb.hec_pvt[0].arn
   port              = 8088
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.hec_pvt_cert[0].arn
   default_action {
     type             = "forward"

base/splunk_servers/indexer_cluster/elb-with-acks.tf

@@ -139,7 +139,7 @@ resource "aws_load_balancer_policy" "listener_policy-tls-1-2" {
 
   policy_attribute {
     name  = "Reference-Security-Policy"
-    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
+    value = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   }
 
   # Workaround for bug above.  If changing TLS policy then be

base/splunk_servers/indexer_cluster/elb-without-ack.tf

@@ -62,7 +62,7 @@ resource "aws_lb_listener" "hec_443" {
   load_balancer_arn = aws_lb.hec.arn
   port              = 443
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.hec_cert.arn
   default_action {
     type             = "forward"
@@ -74,7 +74,7 @@ resource "aws_lb_listener" "hec_8088" {
   load_balancer_arn = aws_lb.hec.arn
   port              = 8088
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.hec_cert.arn
   default_action {
     type             = "forward"

base/splunk_servers/legacy_hec/elb-with-acks.tf

@@ -145,7 +145,7 @@ resource "aws_load_balancer_policy" "listener_policy-tls-1-2" {
 
   policy_attribute {
     name  = "Reference-Security-Policy"
-    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
+    value = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   }
 
   # Workaround for bug above.  If changing TLS policy then be

base/splunk_servers/legacy_hec/elb-without-ack-internal.tf

@@ -56,7 +56,7 @@ resource "aws_lb_listener" "hec_internal_443" {
   load_balancer_arn = aws_lb.hec_internal[count.index].arn
   port              = 443
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.hec_cert.arn # Intentionally using the external cert
   default_action {
     type             = "forward"
@@ -69,7 +69,7 @@ resource "aws_lb_listener" "hec_internal_8088" {
   load_balancer_arn = aws_lb.hec_internal[count.index].arn
   port              = 8088
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.hec_cert.arn # Intentionally using the external cert
   default_action {
     type             = "forward"

base/splunk_servers/legacy_hec/elb-without-ack.tf

@@ -124,7 +124,7 @@ resource "aws_lb_listener" "hec_443" {
   load_balancer_arn = aws_lb.hec.arn
   port              = 443
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.hec_cert.arn
   default_action {
     type             = "forward"
@@ -136,7 +136,7 @@ resource "aws_lb_listener" "hec_8088" {
   load_balancer_arn = aws_lb.hec.arn
   port              = 8088
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.hec_cert.arn
   default_action {
     type             = "forward"

base/splunk_servers/searchhead/elb.tf

@@ -31,7 +31,7 @@ resource "aws_lb_listener" "searchhead-alb-listener-https" {
   load_balancer_arn = aws_lb.searchhead-alb.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert.arn
 
   default_action {
@@ -44,7 +44,7 @@ resource "aws_lb_listener" "searchhead-alb-listener-8000" {
   load_balancer_arn = aws_lb.searchhead-alb.arn
   port              = "8000"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert.arn
 
   default_action {
@@ -74,7 +74,7 @@ resource "aws_lb_listener" "searchhead-alb-listener-api" {
   load_balancer_arn = aws_lb.searchhead-alb.arn
   port              = "8089"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert.arn
 
   default_action {

base/teleport-single-instance/alb-internal.tf

@@ -58,7 +58,7 @@ resource "aws_alb_listener" "https_internal" {
   load_balancer_arn = aws_alb.internal.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_internal.arn
 
   default_action {
@@ -71,7 +71,7 @@ resource "aws_alb_listener" "alb_3080_internal" {
   load_balancer_arn = aws_alb.internal.arn
   port              = "3080"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_internal.arn
 
   default_action {

base/teleport-single-instance/alb.tf

@@ -58,7 +58,7 @@ resource "aws_alb_listener" "https_external" {
   load_balancer_arn = aws_alb.external.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert.arn
 
   default_action {
@@ -71,7 +71,7 @@ resource "aws_alb_listener" "alb_3080_external" {
   load_balancer_arn = aws_alb.external.arn
   port              = "3080"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert.arn
 
   default_action {

base/threatquotient/alb.tf

@@ -56,7 +56,7 @@ resource "aws_alb_listener" "https_internal" {
   load_balancer_arn = aws_alb.internal.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_private.arn
 
   default_action {

base/vault/elb.tf

@@ -49,7 +49,7 @@ resource "aws_alb_listener" "vault_https" {
   load_balancer_arn = aws_alb.vault.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert.arn
 
   default_action {

base/vmray_instances/alb.tf

@@ -55,7 +55,7 @@ resource "aws_alb_listener" "vmray_https_internal" {
   load_balancer_arn = aws_alb.vmray_internal.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_private.arn
 
   default_action {

submodules/load_balancer/public_alb/elb.tf

@@ -71,7 +71,7 @@ resource "aws_lb_listener" "server_https_external" {
   load_balancer_arn = aws_lb.server_external.arn
   port              = "443"
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_public.arn
 
   default_action {

submodules/load_balancer/static_nlb_to_alb/elb.tf

@@ -54,7 +54,7 @@ resource "aws_lb_listener" "https_external" {
   load_balancer_arn = aws_lb.external.arn
   port              = var.listener_port
   protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
   certificate_arn   = aws_acm_certificate.cert_public.arn
 
   default_action {