Skip to content

CKV_AWS_103 does not support TLS 1.3 security policies #3570

New issue
New issue
Closed
#3700
Closed
CKV_AWS_103 does not support TLS 1.3 security policies#3570
#3700
Labels
checksCheck additions or changesgood first issueGood for newcomersterraform
@awconstable

Description

@awconstable
awconstable
opened on Sep 27, 2022

Describe the issue
If it is related to an existing check, please note the relevant check ID.
Also, explain the logic for this addition / change.

The AWS default security policy for aws_lb_listener (ELBSecurityPolicy-TLS13-1-2-2021-06) uses TLS 1.3 which the CKV_AWS_103 rule alerts as failed.

The check should ensure 1.2 or above is used.

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#describe-ssl-policies

Examples
Please share an example code sample (in the IaC of your choice) + the expected outcomes.

resource "aws_lb_listener" "listener" {
  load_balancer_arn = aws_lb.network.arn
  port                 = 5671
  protocol          = "TLS"
  certificate_arn   = data.aws_acm_certificate.cert.arn
  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.target.arn
  }
}

Version (please complete the following information):

  • Checkov Version: 2.1.225

Additional context
Add any other context about the problem here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    checksCheck additions or changesgood first issueGood for newcomersterraform

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions