Upgrade Load Balancer SSL policy to `ELBSecurityPolicy-FS-1-2-Res-2020-10`

[patheard]

Summary

Currently we're using the ELBSecurityPolicy-FS-1-2-Res-2019-08 SSL policy on our load balancer. We should look at upgrading this to ELBSecurityPolicy-FS-1-2-Res-2020-10, which is already in use by other CDS products.

Impact would be dropping support for the following TLS ciphers:

• ECDHE-ECDSA-AES128-SHA256
• ECDHE-RSA-AES128-SHA256
• ECDHE-ECDSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA384

Question: is the cypher used logged anywhere?

Steps

• [ ] check WAF (or other) logs to see if there's any info on cyphersuites used
• [ ] communicate to the users to let them know this is going to happen (ie 1 month, say).
• [ ] perform a scream test - change, wait for customers to complain, then reverted and gave the customers time to upgrade.
  • [ ] possibly keep the old ELB running on a different port (we did this last time)
• [ ] eventually just have new TLS running

Acceptance criteria

• [ ] Validate that there is no impact to dropping support for the 4 listed TLS ciphers.
• [ ] Terraform updated to use ELBSecurityPolicy-FS-1-2-Res-2020-10 SSL policy.

[yaelberger-commits]

Will probably need to update the numbers

[ben851]

We should check to see if there is a newer cipher suite version