New AWS PQ TLS policies for ELB are rejected

[MarcelHB]

Issue search

• I have searched the existing issues and this bug has not been reported yet

Which component is affected?

Prowler CLI/SDK

Cloud Provider (if applicable)

AWS

Steps to Reproduce

Assigning, e. g. ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 to an AWS ELB resource as a TLS security policy – which is considered a default setting by AWS by now and which, to my knowledge, should not be considered inferior to ELBSecurityPolicy-TLS13-1-2-2021-06 – the AWS check elbv2_insecure_ssl_ciphers reports a failure.

Expected behavior

elbv2_insecure_ssl_ciphers should accept new *-PQ-* policies, not fail on them.

I'd like to ask for a qualified update to this list accordingly:

prowler/prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.py

Lines 8 to 19 in 0449c4d

	secure_ssl_policies = [
	"ELBSecurityPolicy-TLS-1-2-2017-01",
	"ELBSecurityPolicy-TLS-1-2-Ext-2018-06",
	"ELBSecurityPolicy-FS-1-2-2019-08",
	"ELBSecurityPolicy-FS-1-2-Res-2019-08",
	"ELBSecurityPolicy-FS-1-2-Res-2020-10",
	"ELBSecurityPolicy-TLS13-1-2-2021-06",
	"ELBSecurityPolicy-TLS13-1-3-2021-06",
	"ELBSecurityPolicy-TLS13-1-2-Res-2021-06",
	"ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06",
	"ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06",
	]

Actual Result with Screenshots or Logs

Check ID: elbv2_insecure_ssl_ciphers - elbv2 [medium]
  ...
  FAIL eu-central-1: ELBv2 ... has listeners with insecure SSL protocols or chiphers (ELBSecurityPolicy-TLS13-1-2-PQ-2025-09).
  ...

How did you install Prowler?

Docker (docker pull toniblyx/prowler)

Environment Resource

Docker image: public.ecr.aws/prowler-cloud/prowler:5.18.3

OS used

Docker image: public.ecr.aws/prowler-cloud/prowler:5.18.3

Prowler version

5.18.3

Python version

cf public.ecr.aws/prowler-cloud/prowler:5.18.3

Pip version

cf public.ecr.aws/prowler-cloud/prowler:5.18.3

Context

AWS recently introduced some new TLS policies for ELB, pre-addressing post-quantum (PQ) concerns. You may find the documentation here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html

[github-actions]

✅ Issue Triage completed successfully!

[github-actions]

AI Assessment [Experimental]: Check Logic Bug

Component: Prowler CLI/SDK
Provider: AWS
Check ID: elbv2_insecure_ssl_ciphers
Check Severity: medium (from check metadata — this is the check's rating, NOT the issue severity)
Issue Severity: high
Impact: Under-reporting (false negative)
Complexity: low
Agent Ready: Ready

Summary

The check elbv2_insecure_ssl_ciphers validates ELBv2 HTTPS listeners against a hardcoded list of secure SSL policies. AWS recently introduced new post-quantum (PQ) TLS policies (e.g., ELBSecurityPolicy-TLS13-1-2-PQ-2025-09) which are AWS-recommended default policies but are not in the allowed list. This causes false positives — secure configurations are incorrectly flagged as insecure, creating alert fatigue and undermining trust in check results.

Extracted Issue Fields

• Reporter version: 5.18.3
• Install method: Docker (public.ecr.aws/prowler-cloud/prowler:5.18.3)
• Environment: Docker image

Duplicates & Related Issues

None found. This is the first reported issue about PQ TLS policies for ELB.

---

Root Cause Analysis

Symptom

ELBv2 listeners configured with AWS's new post-quantum TLS policies (e.g., ELBSecurityPolicy-TLS13-1-2-PQ-2025-09) are incorrectly flagged as insecure, even though these policies are AWS-recommended and considered secure.

Check Details

• Check: elbv2_insecure_ssl_ciphers
• Service: elbv2
• Severity: medium
• Description: ELBv2 HTTPS listeners are assessed for use of strong TLS policies

Location

• Check file: prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.py
• Function: execute()
• Failing condition: Lines 8-19 — hardcoded list secure_ssl_policies does not include AWS's new PQ TLS policies

Cause

The check maintains a hardcoded allowlist of secure SSL policies (lines 8-19 in elbv2_insecure_ssl_ciphers.py):

secure_ssl_policies = [
    "ELBSecurityPolicy-TLS-1-2-2017-01",
    "ELBSecurityPolicy-TLS-1-2-Ext-2018-06",
    "ELBSecurityPolicy-FS-1-2-2019-08",
    "ELBSecurityPolicy-FS-1-2-Res-2019-08",
    "ELBSecurityPolicy-FS-1-2-Res-2020-10",
    "ELBSecurityPolicy-TLS13-1-2-2021-06",
    "ELBSecurityPolicy-TLS13-1-3-2021-06",
    "ELBSecurityPolicy-TLS13-1-2-Res-2021-06",
    "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06",
    "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06",
]

When a listener's ssl_policy (line 29) is checked against this list, any policy not in the list — including AWS's new PQ policies — triggers a FAIL status (lines 27-32).

AWS introduced new post-quantum TLS security policies in 2025 to address future quantum computing threats. These policies follow the naming pattern ELBSecurityPolicy-*-PQ-* and are recommended by AWS. The check's allowlist was last updated in 2021 and does not include these new policies.

Evidence from AWS: The reporter references AWS documentation at docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html which documents these new policies.

Service Client Gap

None — the service client already fetches the ssl_policy field from ELBv2 listeners. The issue is purely in the check logic's allowlist.

Coding Agent Plan

Required Skills

Load these skills from AGENTS.md before starting:

• prowler-sdk-check — For check modification patterns and metadata conventions
• prowler-test-sdk — For pytest patterns with moto and ELBv2 testing
• pytest — For generic pytest fixtures and test structure
• tdd — For test-driven development workflow (write failing test first, then fix)

Test Specification

Write tests FIRST (TDD). The skills contain all testing conventions and patterns.

Test Scenario	Expected Result	Must FAIL today?
ELBv2 HTTPS listener with ELBSecurityPolicy-TLS13-1-2-PQ-2025-09	PASS — policy is secure	Yes — currently fails
ELBv2 HTTPS listener with ELBSecurityPolicy-TLS13-1-3-PQ-2025-09	PASS — policy is secure	Yes — currently fails
ELBv2 HTTPS listener with ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09	PASS — policy is secure	Yes — currently fails
ELBv2 HTTPS listener with existing secure policy ELBSecurityPolicy-TLS13-1-2-2021-06	PASS — regression test	No — already passes
ELBv2 HTTPS listener with insecure policy ELBSecurityPolicy-TLS-1-1-2017-01	FAIL — policy is insecure	No — already fails

Test location: tests/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers_test.py
Mock pattern: @mock_aws with moto ELBv2 mocking (existing pattern in test file)

Fix Specification

1. Update the secure SSL policies list in prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.py, function execute(), lines 8-19:

   • Add the new AWS post-quantum TLS policies to the secure_ssl_policies list
   • Research AWS documentation (docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html) to identify ALL new PQ policy variants
   • Known policies to add (minimum):
     • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09
     • ELBSecurityPolicy-TLS13-1-3-PQ-2025-09
     • ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09
   • Add inline comment explaining these are AWS's post-quantum policies
   • Maintain alphabetical or chronological ordering

2. No service client changes required — the ELBv2 service already fetches ssl_policy from listeners

3. No metadata changes required — the check description and remediation guidance remain accurate

Acceptance Criteria

• All new PQ TLS policy variants from AWS documentation are added to the allowlist
• Test with ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 returns PASS status
• Test with ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 returns PASS status
• Test with ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 returns PASS status
• Existing tests for secure policies still pass (regression protection)
• Existing tests for insecure policies still fail (no false negatives introduced)
• All existing tests pass (pytest tests/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/ -v)
• New test(s) pass after the fix

Files to Modify

File	Change Description
prowler/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers.py	Add new PQ TLS policy strings to secure_ssl_policies list (lines 8-19)
tests/providers/aws/services/elbv2/elbv2_insecure_ssl_ciphers/elbv2_insecure_ssl_ciphers_test.py	Add new test methods for PQ policy variants using existing moto pattern

Edge Cases

• Ensure all variants of PQ policies are included (TLS 1.2, TLS 1.3, Res variants)
• Verify the policy naming pattern matches AWS's actual policy names exactly (case-sensitive)
• Consider whether future PQ policy versions (e.g., 2026, 2027) would require another update — document this maintenance need
• Test with listeners that have no SSL policy set (should pass through existing logic)

---

Note: This is a straightforward check logic update requiring only a list modification and corresponding tests. The issue is classified as high severity because it causes over-reporting (false positives), which undermines user trust in Prowler's results and creates alert fatigue. Users may start ignoring check findings if they encounter too many false positives, which could lead them to miss real security issues.

AI generated by Issue Triage