New Rule for ALB Security Policies

[RoseSecurity]

What

• Would it be valuable to the community if there were rules that validate the ssl_policy attribute on aws_lb_listener resources for Application Load Balancers?

Why

• AWS exposes more than 20 predefined TLS security policies for ALBs. Older policies still permit TLS 1.0/1.1 and weak ciphers, which many companies need to disable for PCI‑DSS 4.0, FedRAMP, and NIST 800‑52 rev2
• What if we implemented a aws_alb_ssl_policy_not_deprecated with a warning severity when the chosen policy allows TLS 1.0/1.1 or weak ciphers?

References

• Security policies for your Application Load Balancer