Security policies for your Network Load Balancer
When you create a TLS listener, you must select a security policy. A security policy determines which ciphers and protocols are supported during SSL negotiations between your load balancer and clients. You can update the security policy for your load balancer if your requirements change or when we release a new security policy. For more information, see Update the security policy.
Considerations
-
The
ELBSecurityPolicy-TLS13-1-2-2021-06
policy is the default security policy for TLS listeners created using the Amazon Web Services Management Console.-
We recommend the
ELBSecurityPolicy-TLS13-1-2-2021-06
security policy, which includes TLS 1.3, and is backwards compatible with TLS 1.2.
-
-
The
ELBSecurityPolicy-2016-08
policy is the default security policy for TLS listeners created using the Amazon CLI. -
You can choose the security policy that is used for front-end connections, but not backend connections.
-
For backend connections, if your TLS listener is using a TLS 1.3 security policy, the
ELBSecurityPolicy-TLS13-1-0-2021-06
security policy is used. Otherwise, theELBSecurityPolicy-2016-08
security policy is used for backend connections.
-
-
You can enable access logs for information about the TLS requests sent to your Network Load Balancer, analyze TLS traffic patterns, manage security policy upgrades, and troubleshoot issues. Enable access logging for your load balancer and examine the corresponding access log entries. For more information, see Access logs and Network Load Balancer Example Queries.
-
You can restrict which security policies are available to users across your Amazon Web Services accounts and Amazon Organizations by using the Elastic Load Balancing condition keys in your IAM and service control policies (SCPs), respectively. For more information, see Service control policies (SCPs) in the Amazon Organizations User Guide.
You can describe the protocols and ciphers using the describe-ssl-policies Amazon CLI command, or refer to the tables below.
Security policies
TLS security policies
You can use the TLS security policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.
Protocols by policy
The following table describes the protocols that each TLS security policy supports.
Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
---|---|---|---|---|
ELBSecurityPolicy-TLS13-1-3-2021-06 | Yes | No | No | No |
ELBSecurityPolicy-TLS13-1-2-2021-06 | Yes | Yes | No | No |
ELBSecurityPolicy-TLS13-1-2-Res-2021-06 | Yes | Yes | No | No |
ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 | Yes | Yes | No | No |
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 | Yes | Yes | No | No |
ELBSecurityPolicy-TLS13-1-1-2021-06 | Yes | Yes | Yes | No |
ELBSecurityPolicy-TLS13-1-0-2021-06 | Yes | Yes | Yes | Yes |
ELBSecurityPolicy-TLS-1-2-Ext-2018-06 | No | Yes | No | No |
ELBSecurityPolicy-TLS-1-2-2017-01 | No | Yes | No | No |
ELBSecurityPolicy-TLS-1-1-2017-01 | No | Yes | Yes | No |
ELBSecurityPolicy-2016-08 | No | Yes | Yes | Yes |
ELBSecurityPolicy-2015-05 | No | Yes | Yes | Yes |
Ciphers by policy
The following table describes the ciphers that each TLS security policy supports.
Security policy | Ciphers |
---|---|
ELBSecurityPolicy-TLS13-1-3-2021-06 |
|
ELBSecurityPolicy-TLS13-1-2-2021-06 |
|
ELBSecurityPolicy-TLS13-1-2-Res-2021-06 |
|
ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 |
|
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 |
|
ELBSecurityPolicy-TLS13-1-1-2021-06 |
|
ELBSecurityPolicy-TLS13-1-0-2021-06 |
|
ELBSecurityPolicy-TLS-1-2-Ext-2018-06 |
|
ELBSecurityPolicy-TLS-1-2-2017-01 |
|
ELBSecurityPolicy-TLS-1-1-2017-01 |
|
ELBSecurityPolicy-2016-08 |
|
ELBSecurityPolicy-2015-05 |
|
Policies by cipher
The following table describes the TLS security policies that support each cipher.
Cipher name | Security policies | Cipher suite |
---|---|---|
OpenSSL – TLS_AES_128_GCM_SHA256 IANA – TLS_AES_128_GCM_SHA256 |
|
1301 |
OpenSSL – TLS_AES_256_GCM_SHA384 IANA – TLS_AES_256_GCM_SHA384 |
|
1302 |
OpenSSL – TLS_CHACHA20_POLY1305_SHA256 IANA – TLS_CHACHA20_POLY1305_SHA256 |
|
1303 |
OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
|
c02b |
OpenSSL – ECDHE-RSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
c02f |
OpenSSL – ECDHE-ECDSA-AES128-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
|
c023 |
OpenSSL – ECDHE-RSA-AES128-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
c027 |
OpenSSL – ECDHE-ECDSA-AES128-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
|
c009 |
OpenSSL – ECDHE-RSA-AES128-SHA IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
c013 |
OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
|
c02c |
OpenSSL – ECDHE-RSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
c030 |
OpenSSL – ECDHE-ECDSA-AES256-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
|
c024 |
OpenSSL – ECDHE-RSA-AES256-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
|
c028 |
OpenSSL – ECDHE-ECDSA-AES256-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
|
c00a |
OpenSSL – ECDHE-RSA-AES256-SHA IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
c014 |
OpenSSL – AES128-GCM-SHA256 IANA – TLS_RSA_WITH_AES_128_GCM_SHA256 |
|
9c |
OpenSSL – AES128-SHA256 IANA – TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
3c |
OpenSSL – AES128-SHA IANA – TLS_RSA_WITH_AES_128_CBC_SHA |
|
2f |
OpenSSL – AES256-GCM-SHA384 IANA – TLS_RSA_WITH_AES_256_GCM_SHA384 |
|
9d |
OpenSSL – AES256-SHA256 IANA – TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
3d |
OpenSSL – AES256-SHA IANA – TLS_RSA_WITH_AES_256_CBC_SHA |
|
35 |
FIPS security policies
The Federal Information Processing Standard (FIPS) is a US and Canadian
government standard that specifies the security requirements for cryptographic
modules that protect sensitive information. To learn more, see Federal Information Processing Standard (FIPS) 140
All FIPS policies leverage the AWS-LC FIPS validated cryptographic module. To learn more,
see the
AWS-LC Cryptographic Module
Important
Policies ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04
and ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04
are provided for legacy compatibility only. While they utilize FIPS cryptography using the FIPS140 module, they may not
conform to the latest NIST guidance for TLS configuration.
Protocols by policy
The following table describes the protocols that each FIPS security policy supports.
Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
---|---|---|---|---|
ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 | Yes | No | No | No |
ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 | Yes | Yes | No | No |
ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 | Yes | Yes | No | No |
ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 | Yes | Yes | No | No |
ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 | Yes | Yes | No | No |
ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 | Yes | Yes | No | No |
ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 | Yes | Yes | Yes | No |
ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 | Yes | Yes | Yes | Yes |
Ciphers by policy
The following table describes the ciphers that each FIPS security policy supports.
Security policy | Ciphers |
---|---|
ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 |
|
ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 |
|
ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 |
|
ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 |
|
ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 |
|
ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 |
|
ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 |
|
ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 |
|
Policies by cipher
The following table describes the FIPS security policies that support each cipher.
Cipher name | Security policies | Cipher suite |
---|---|---|
OpenSSL – TLS_AES_128_GCM_SHA256 IANA – TLS_AES_128_GCM_SHA256 |
|
1301 |
OpenSSL – TLS_AES_256_GCM_SHA384 IANA – TLS_AES_256_GCM_SHA384 |
|
1302 |
OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
|
c02b |
OpenSSL – ECDHE-RSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
c02f |
OpenSSL – ECDHE-ECDSA-AES128-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
|
c023 |
OpenSSL – ECDHE-RSA-AES128-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
c027 |
OpenSSL – ECDHE-ECDSA-AES128-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
|
c009 |
OpenSSL – ECDHE-RSA-AES128-SHA IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
c013 |
OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
|
c02c |
OpenSSL – ECDHE-RSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
c030 |
OpenSSL – ECDHE-ECDSA-AES256-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
|
c024 |
OpenSSL – ECDHE-RSA-AES256-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
|
c028 |
OpenSSL – ECDHE-ECDSA-AES256-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
|
c00a |
OpenSSL – ECDHE-RSA-AES256-SHA IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
c014 |
OpenSSL – AES128-GCM-SHA256 IANA – TLS_RSA_WITH_AES_128_GCM_SHA256 |
|
9c |
OpenSSL – AES128-SHA256 IANA – TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
3c |
OpenSSL – AES128-SHA IANA – TLS_RSA_WITH_AES_128_CBC_SHA |
|
2f |
OpenSSL – AES256-GCM-SHA384 IANA – TLS_RSA_WITH_AES_256_GCM_SHA384 |
|
9d |
OpenSSL – AES256-SHA256 IANA – TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
3d |
OpenSSL – AES256-SHA IANA – TLS_RSA_WITH_AES_256_CBC_SHA |
|
35 |
FS supported security policies
FS (Forward Secrecy) supported security policies provide additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.
Protocols by policy
The following table describes the protocols that each FS supported security policy supports.
Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
---|---|---|---|---|
ELBSecurityPolicy-FS-1-2-Res-2020-10 | No | Yes | No | No |
ELBSecurityPolicy-FS-1-2-Res-2019-08 | No | Yes | No | No |
ELBSecurityPolicy-FS-1-2-2019-08 | No | Yes | No | No |
ELBSecurityPolicy-FS-1-1-2019-08 | No | Yes | Yes | No |
ELBSecurityPolicy-FS-2018-06 | No | Yes | Yes | Yes |
Ciphers by policy
The following table describes the ciphers that each FS supported security policy supports.
Security policy | Ciphers |
---|---|
ELBSecurityPolicy-FS-1-2-Res-2020-10 |
|
ELBSecurityPolicy-FS-1-2-Res-2019-08 |
|
ELBSecurityPolicy-FS-1-2-2019-08 |
|
ELBSecurityPolicy-FS-1-1-2019-08 |
|
ELBSecurityPolicy-FS-2018-06 |
|
Policies by cipher
The following table describes the FS supported security policies that support each cipher.
Cipher name | Security policies | Cipher suite |
---|---|---|
OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
|
c02b |
OpenSSL – ECDHE-RSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
c02f |
OpenSSL – ECDHE-ECDSA-AES128-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
|
c023 |
OpenSSL – ECDHE-RSA-AES128-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
c027 |
OpenSSL – ECDHE-ECDSA-AES128-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
|
c009 |
OpenSSL – ECDHE-RSA-AES128-SHA IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
c013 |
OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
|
c02c |
OpenSSL – ECDHE-RSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
c030 |
OpenSSL – ECDHE-ECDSA-AES256-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
|
c024 |
OpenSSL – ECDHE-RSA-AES256-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
|
c028 |
OpenSSL – ECDHE-ECDSA-AES256-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
|
c00a |
OpenSSL – ECDHE-RSA-AES256-SHA IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
c014 |