Security policies for your Network Load Balancer - Elastic Load Balancing
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security policies for your Network Load Balancer

When you create a TLS listener, you must select a security policy. A security policy determines which ciphers and protocols are supported during SSL negotiations between your load balancer and clients. You can update the security policy for your load balancer if your requirements change or when we release a new security policy. For more information, see Update the security policy.

Considerations
  • The ELBSecurityPolicy-TLS13-1-2-2021-06 policy is the default security policy for TLS listeners created using the Amazon Web Services Management Console.

    • We recommend the ELBSecurityPolicy-TLS13-1-2-2021-06 security policy, which includes TLS 1.3, and is backwards compatible with TLS 1.2.

  • The ELBSecurityPolicy-2016-08 policy is the default security policy for TLS listeners created using the Amazon CLI.

  • You can choose the security policy that is used for front-end connections, but not backend connections.

    • For backend connections, if your TLS listener is using a TLS 1.3 security policy, the ELBSecurityPolicy-TLS13-1-0-2021-06 security policy is used. Otherwise, the ELBSecurityPolicy-2016-08 security policy is used for backend connections.

  • You can enable access logs for information about the TLS requests sent to your Network Load Balancer, analyze TLS traffic patterns, manage security policy upgrades, and troubleshoot issues. Enable access logging for your load balancer and examine the corresponding access log entries. For more information, see Access logs and Network Load Balancer Example Queries.

  • You can restrict which security policies are available to users across your Amazon Web Services accounts and Amazon Organizations by using the Elastic Load Balancing condition keys in your IAM and service control policies (SCPs), respectively. For more information, see Service control policies (SCPs) in the Amazon Organizations User Guide.

You can describe the protocols and ciphers using the describe-ssl-policies Amazon CLI command, or refer to the tables below.

TLS security policies

You can use the TLS security policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.

Protocols by policy

The following table describes the protocols that each TLS security policy supports.

Security policies TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-TLS13-1-3-2021-06 Yes No No No
ELBSecurityPolicy-TLS13-1-2-2021-06 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Res-2021-06 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 Yes Yes No No
ELBSecurityPolicy-TLS13-1-1-2021-06 Yes Yes Yes No
ELBSecurityPolicy-TLS13-1-0-2021-06 Yes Yes Yes Yes
ELBSecurityPolicy-TLS-1-2-Ext-2018-06 No Yes No No
ELBSecurityPolicy-TLS-1-2-2017-01 No Yes No No
ELBSecurityPolicy-TLS-1-1-2017-01 No Yes Yes No
ELBSecurityPolicy-2016-08 No Yes Yes Yes
ELBSecurityPolicy-2015-05 No Yes Yes Yes

Ciphers by policy

The following table describes the ciphers that each TLS security policy supports.

Security policy Ciphers
ELBSecurityPolicy-TLS13-1-3-2021-06
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

ELBSecurityPolicy-TLS13-1-2-2021-06
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

ELBSecurityPolicy-TLS13-1-2-Res-2021-06
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256

ELBSecurityPolicy-TLS13-1-1-2021-06
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS13-1-0-2021-06
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS-1-2-Ext-2018-06
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS-1-2-2017-01
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256

ELBSecurityPolicy-TLS-1-1-2017-01
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-2016-08
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-2015-05
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

Policies by cipher

The following table describes the TLS security policies that support each cipher.

Cipher name Security policies Cipher suite

OpenSSL – TLS_AES_128_GCM_SHA256

IANA – TLS_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-3-2021-06

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

1301

OpenSSL – TLS_AES_256_GCM_SHA384

IANA – TLS_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-3-2021-06

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

1302

OpenSSL – TLS_CHACHA20_POLY1305_SHA256

IANA – TLS_CHACHA20_POLY1305_SHA256

  • ELBSecurityPolicy-TLS13-1-3-2021-06

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

1303

OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c02b

OpenSSL – ECDHE-RSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c02f

OpenSSL – ECDHE-ECDSA-AES128-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c023

OpenSSL – ECDHE-RSA-AES128-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c027

OpenSSL – ECDHE-ECDSA-AES128-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c009

OpenSSL – ECDHE-RSA-AES128-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c013

OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c02c

OpenSSL – ECDHE-RSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c030

OpenSSL – ECDHE-ECDSA-AES256-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c024

OpenSSL – ECDHE-RSA-AES256-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c028

OpenSSL – ECDHE-ECDSA-AES256-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c00a

OpenSSL – ECDHE-RSA-AES256-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c014

OpenSSL – AES128-GCM-SHA256

IANA – TLS_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

9c

OpenSSL – AES128-SHA256

IANA – TLS_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

3c

OpenSSL – AES128-SHA

IANA – TLS_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

2f

OpenSSL – AES256-GCM-SHA384

IANA – TLS_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

9d

OpenSSL – AES256-SHA256

IANA – TLS_RSA_WITH_AES_256_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

3d

OpenSSL – AES256-SHA

IANA – TLS_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

35

FIPS security policies

The Federal Information Processing Standard (FIPS) is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. To learn more, see Federal Information Processing Standard (FIPS) 140 on the Amazon Cloud Security Compliance page.

All FIPS policies leverage the AWS-LC FIPS validated cryptographic module. To learn more, see the AWS-LC Cryptographic Module page on the NIST Cryptographic Module Validation Program site.

Important

Policies ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 and ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 are provided for legacy compatibility only. While they utilize FIPS cryptography using the FIPS140 module, they may not conform to the latest NIST guidance for TLS configuration.

Protocols by policy

The following table describes the protocols that each FIPS security policy supports.

Security policies TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 Yes No No No
ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 Yes Yes No No
ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 Yes Yes Yes No
ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 Yes Yes Yes Yes

Ciphers by policy

The following table describes the ciphers that each FIPS security policy supports.

Security policy Ciphers
ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256

ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04
  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

Policies by cipher

The following table describes the FIPS security policies that support each cipher.

Cipher name Security policies Cipher suite

OpenSSL – TLS_AES_128_GCM_SHA256

IANA – TLS_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

1301

OpenSSL – TLS_AES_256_GCM_SHA384

IANA – TLS_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

1302

OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c02b

OpenSSL – ECDHE-RSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c02f

OpenSSL – ECDHE-ECDSA-AES128-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c023

OpenSSL – ECDHE-RSA-AES128-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c027

OpenSSL – ECDHE-ECDSA-AES128-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c009

OpenSSL – ECDHE-RSA-AES128-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c013

OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c02c

OpenSSL – ECDHE-RSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c030

OpenSSL – ECDHE-ECDSA-AES256-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c024

OpenSSL – ECDHE-RSA-AES256-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c028

OpenSSL – ECDHE-ECDSA-AES256-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c00a

OpenSSL – ECDHE-RSA-AES256-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c014

OpenSSL – AES128-GCM-SHA256

IANA – TLS_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

9c

OpenSSL – AES128-SHA256

IANA – TLS_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

3c

OpenSSL – AES128-SHA

IANA – TLS_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

2f

OpenSSL – AES256-GCM-SHA384

IANA – TLS_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

9d

OpenSSL – AES256-SHA256

IANA – TLS_RSA_WITH_AES_256_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

3d

OpenSSL – AES256-SHA

IANA – TLS_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

35

FS supported security policies

FS (Forward Secrecy) supported security policies provide additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.

Protocols by policy

The following table describes the protocols that each FS supported security policy supports.

Security policies TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-FS-1-2-Res-2020-10 No Yes No No
ELBSecurityPolicy-FS-1-2-Res-2019-08 No Yes No No
ELBSecurityPolicy-FS-1-2-2019-08 No Yes No No
ELBSecurityPolicy-FS-1-1-2019-08 No Yes Yes No
ELBSecurityPolicy-FS-2018-06 No Yes Yes Yes

Ciphers by policy

The following table describes the ciphers that each FS supported security policy supports.

Security policy Ciphers
ELBSecurityPolicy-FS-1-2-Res-2020-10
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

ELBSecurityPolicy-FS-1-2-Res-2019-08
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

ELBSecurityPolicy-FS-1-2-2019-08
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

ELBSecurityPolicy-FS-1-1-2019-08
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

ELBSecurityPolicy-FS-2018-06
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

Policies by cipher

The following table describes the FS supported security policies that support each cipher.

Cipher name Security policies Cipher suite

OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c02b

OpenSSL – ECDHE-RSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c02f

OpenSSL – ECDHE-ECDSA-AES128-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c023

OpenSSL – ECDHE-RSA-AES128-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c027

OpenSSL – ECDHE-ECDSA-AES128-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c009

OpenSSL – ECDHE-RSA-AES128-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c013

OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c02c

OpenSSL – ECDHE-RSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c030

OpenSSL – ECDHE-ECDSA-AES256-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c024

OpenSSL – ECDHE-RSA-AES256-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c028

OpenSSL – ECDHE-ECDSA-AES256-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c00a

OpenSSL – ECDHE-RSA-AES256-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c014