guardian · marsavar · May 10, 2024 · May 9, 2024 · May 10, 2024 · marsavar
diff --git a/.changeset/curvy-balloons-carry.md b/.changeset/curvy-balloons-carry.md
@@ -0,0 +1,5 @@
+---
+"@guardian/cdk": minor
+---
+
+Use the recommended ELB security policy `ELBSecurityPolicy-TLS13-1-2-2021-06` which includes TLS 1.3, and is backwards compatible with TLS 1.2.
diff --git a/src/constructs/loadbalancing/alb/application-listener.ts b/src/constructs/loadbalancing/alb/application-listener.ts
@@ -1,4 +1,9 @@
-import { ApplicationListener, ApplicationProtocol, ListenerAction } from "aws-cdk-lib/aws-elasticloadbalancingv2";
+import {
+  ApplicationListener,
+  ApplicationProtocol,
+  ListenerAction,
+  SslPolicy,
+} from "aws-cdk-lib/aws-elasticloadbalancingv2";
 import type { ApplicationListenerProps } from "aws-cdk-lib/aws-elasticloadbalancingv2";
 import { GuAppAwareConstruct } from "../../../utils/mixin/app-aware-construct";
 import type { GuCertificate } from "../../acm";
@@ -47,6 +52,7 @@ export class GuHttpsApplicationListener extends GuAppAwareConstruct(ApplicationL
     const mergedProps: GuApplicationListenerProps = {
       port: certificate ? 443 : 8080,
       protocol: certificate ? ApplicationProtocol.HTTPS : ApplicationProtocol.HTTP,
+      sslPolicy: SslPolicy.RECOMMENDED_TLS,
       ...props,
       certificates: certificate
         ? [

diff --git a/src/patterns/ec2-app/__snapshots__/base.test.ts.snap b/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
@@ -413,6 +413,7 @@ exports[`the GuEC2App pattern can produce a restricted EC2 app locked to specifi
         },
         "Port": 443,
         "Protocol": "HTTPS",
+        "SslPolicy": "ELBSecurityPolicy-TLS13-1-2-2021-06",
       },
       "Type": "AWS::ElasticLoadBalancingV2::Listener",
     },
@@ -1398,6 +1399,7 @@ exports[`the GuEC2App pattern should produce a functional EC2 app with minimal a
         },
         "Port": 443,
         "Protocol": "HTTPS",
+        "SslPolicy": "ELBSecurityPolicy-TLS13-1-2-2021-06",
       },
       "Type": "AWS::ElasticLoadBalancingV2::Listener",
     },

diff --git a/src/patterns/ec2-app/base.test.ts b/src/patterns/ec2-app/base.test.ts
@@ -1,7 +1,7 @@
 import { Match, Template } from "aws-cdk-lib/assertions";
 import { BlockDeviceVolume, EbsDeviceVolumeType } from "aws-cdk-lib/aws-autoscaling";
 import { InstanceClass, InstanceSize, InstanceType, Peer, Port, Vpc } from "aws-cdk-lib/aws-ec2";
-import type { CfnLoadBalancer } from "aws-cdk-lib/aws-elasticloadbalancingv2";
+import { type CfnLoadBalancer } from "aws-cdk-lib/aws-elasticloadbalancingv2";
 import { AccessScope, MetadataKeys } from "../../constants";
 import { GuPrivateConfigBucketParameter } from "../../constructs/core";
 import { GuSecurityGroup } from "../../constructs/ec2";
@@ -1072,4 +1072,27 @@ describe("the GuEC2App pattern", function () {
       LoadBalancerAttributes: Match.arrayWith([Match.objectLike({ Key: "access_logs.s3.prefix", Value: "test-2" })]),
     });
   });
+
+  it("uses the latest security policy", function () {
+    const stack = simpleGuStackForTesting();
+    new GuEc2App(stack, {
+      applicationPort: 3000,
+      app: "test-gu-ec2-app",
+      access: { scope: AccessScope.PUBLIC },
+      instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.MEDIUM),
+      monitoringConfiguration: { noMonitoring: true },
+      userData: "#!/bin/dev foobarbaz",
+      certificateProps: {
+        domainName: "domain-name-for-your-application.example",
+      },
+      scaling: {
+        minimumInstances: 1,
+      },
+      instanceMetadataHopLimit: 2,
+    });
+
+    Template.fromStack(stack).hasResourceProperties("AWS::ElasticLoadBalancingV2::Listener", {
+      SslPolicy: "ELBSecurityPolicy-TLS13-1-2-2021-06",
+    });
+  });
 });