You can select a TLS security policy when you create an HTTPS listener. HTTPS listeners support custom and default TLS security policies.

Default TLS security policies

TLS security policy Feature Supported TLS version Supported cipher suite
tls_cipher_policy_1_0 Provides optimal compatibility and basic security TLS 1.0, TLS 1.1, and TLS 1.2 The cipher suite that you select must be supported by one of the TLS versions that you use. For example, if you use TLS 1.3, you must select the cipher suites that are supported by TLS 1.3.
  • TLS 1.0 and TLS 1.1 support the following cipher suites:
    • ECDHE-ECDSA-AES128-SHA
    • ECDHE-ECDSA-AES256-SHA
    • ECDHE-RSA-AES128-SHA
    • ECDHE-RSA-AES256-SHA
    • AES128-SHA
    • AES256-SHA
    • DES-CBC3-SHA
  • TLS 1.2 supports the following cipher suites:
    • ECDHE-ECDSA-AES128-SHA
    • ECDHE-ECDSA-AES256-SHA
    • ECDHE-RSA-AES128-SHA
    • ECDHE-RSA-AES256-SHA
    • AES128-SHA
    • AES256-SHA
    • DES-CBC3-SHA
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES128-SHA256
    • ECDHE-ECDSA-AES256-SHA384
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES128-SHA256
    • ECDHE-RSA-AES256-SHA384
    • AES128-GCM-SHA256
    • AES256-GCM-SHA384
    • AES128-SHA256
    • AES256-SHA256
  • TLS 1.3 supports the following cipher suites:
    • TLS_AES_128_GCM_SHA256
    • TLS_AES_256_GCM_SHA384
    • TLS_CHACHA20_POLY1305_SHA256
    • TLS_AES_128_CCM_SHA256
    • TLS_AES_128_CCM_8_SHA256
tls_cipher_policy_1_1 Provides high compatibility and advanced security TLS 1.1 and TLS 1.2
tls_cipher_policy_1_2 Provides high compatibility and advanced security TLSv1.2
tls_cipher_policy_1_2_strict Supports only perfect forward secrecy (PFS) cipher suites and provides premium security TLSv1.2
tls_cipher_policy_1_2_strict_with_1_3 Supports only PFS cipher suites and provides premium security TLS 1.2 and TLS 1.3

Custom TLS security policies

To create a custom TLS security policy, perform the following steps:

  1. Log on to the ALB console.
  2. In the left-side navigation pane, choose ALB > TLS Security policies.
  3. On the TLS Security Policies page, click Create Custom Policy on the Custom Policy tab.
  4. Set the following parameters and click Create.
    Parameter Description
    Name Enter a name for the TLS security policy. The name must be 2 to 128 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-). The name must start with a letter.
    Minimal Version Select the version of the TLS security policy that you want to create.
    • TLS 1.0 or later
    • TLS 1.1 or later
    • TLS 1.2 or later
    Enable TLS 1.3 Select whether to enable TLS 1.3.
    Notice To enable TLS 1.3, you must select a cipher suite that is supported by TLS 1.3. If you do not select the supported cipher suite, the system may fail to create secure connections.
    Cipher Suite Select a cipher suite that is supported by the specified TLS version. For more information about cipher suites that are supported by each TLS version, see Default TLS security policies.

Cipher suites supported by different TLS security policies

TLS security policy tls_cipher_policy_1_0 tls_cipher_policy_1_1 tls_cipher_policy_1_2 tls_cipher_policy_1_2_strict tls_cipher_policy_1_2_strict_with_1_3
TLS - 1.0, 1.1, and 1.2 1.1 and 1.2 1.2 1.2 1.2 and 1.3
CIPHER ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
AES128-GCM-SHA256 - -
AES256-GCM-SHA384 - -
AES128-SHA256 - -
AES256-SHA256 - -
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
AES128-SHA - -
AES256-SHA - -
DES-CBC3-SHA - -
TLS_AES_128_GCM_SHA256 - - - -
TLS_AES_256_GCM_SHA384 - - - -
TLS_CHACHA20_POLY1305_SHA256 - - - -
TLS_AES_128_CCM_SHA256 - - - -
TLS_AES_128_CCM_8_SHA256 - - - -
ECDHE-ECDSA-AES128-GCM-SHA256 - - - -
ECDHE-ECDSA-AES256-GCM-SHA384 - - - -
ECDHE-ECDSA-AES128-SHA256 - - - -
ECDHE-ECDSA-AES256-SHA384 - - - -
ECDHE-ECDSA-AES128-SHA - - - -
ECDHE-ECDSA-AES256-SHA - - - -
Note In this table, √ indicates that a cypher suite is supported and - indicates that a cypher suite is not supported.