When you configure an HTTPS listener for an ALB, the TLS security policy determines the TLS protocol versions and cipher suites supported for TLS negotiation between the ALB and a client. ALB provides several predefined default policies. For specific security requirements, you can use a custom TLS security policy.
How it works
A TLS security policy on an ALB instance defines the TLS protocol versions and cipher suites it supports for TLS negotiation. During the TLS handshake, the client sends a list of its supported protocol versions and cipher suites in the Client Hello message. Based on this policy, the ALB instance selects a mutually supported protocol version and cipher suite from the client's list and responds with a Server Hello message. All subsequent steps, such as key exchange and session key generation, are based on this selected combination.
Default policies
Certain information security standards require specific TLS security policies for your ALB instance. Use the table below to find a default policy that meets your compliance needs. If none are suitable, you can create a custom policy.
-
ALB Extensible Edition instances support only the
tls_cipher_policy_1_0_to_1_3policy, which is not available for other editions. -
For standard Internet-facing applications, use
tls_cipher_policy_1_2or a stricter policy.
Console
Go to the TLS Security Policies page in the ALB console. The Default Policy tab displays the details of each policy.
API
Call the ListSystemSecurityPolicies operation to query the default policies.
Custom policies
Only Standard and WAF-enabled ALB instances support custom policies. Basic and Extensible ALB instances do not support this feature.
Create a custom policy
Console
-
Go to the TLS Security Policies page in the ALB console, and select the region where your ALB instance is located.
-
Click Create custom policy, configure the following parameters, and then click Create.
-
Select minimum version: If your application has no special compatibility requirements, we recommend selecting TLS 1.2 and later to ensure security.
-
Enable TLS 1.3: For enhanced security and efficiency, we recommend enabling this option if it is compatible with your application.
-
Select cipher suites: The selected cipher suites must be compatible with the chosen TLS protocol version.
-
-
After creating the custom policy, you can select it when you associate a TLS security policy with a listener.
API
Call the CreateSecurityPolicy operation to create a custom policy. The custom policy must be in the same region as the ALB instance.
To use an SM algorithm certificate for HTTPS encryption, you must select the SM algorithm cipher suite (ECC-SM2-WITH-SM4-SM3) when creating a custom policy. For more information, see Configure SM-based HTTPS for secure communication on ALB.
Update a custom policy
Console
-
Go to the TLS Security Policies page in the ALB console, and select the region of the custom policy.
-
Find the target custom policy, and click Edit in the Actions column. In the Edit TLS Security Policy dialog box, update the TLS protocol versions and cipher suites.
API
Call the UpdateSecurityPolicyAttribute operation to update the attributes of a custom policy.
Copy a custom policy to another region
Console
-
Go to the TLS Security Policies page in the ALB console, and select the region of the custom policy.
-
Find the target custom policy, click Copy to other region in the Actions column, select the destination region, and then click OK.
API
Call the ListSecurityPolicies operation to retrieve the TLSVersions and Ciphers parameters from the custom policy. Then, call the CreateSecurityPolicy operation with these parameters to create a custom policy in the destination region.
Delete a custom policy
You cannot delete a custom policy that is in use by a listener. To delete the policy, you must first change the listener's TLS security policy or delete the listener.
Console
-
Go to the TLS Security Policies page in the ALB console, and select the region of the custom policy.
-
Find the target custom policy, click Delete in the Actions column, and then click OK.
API
Call the DeleteSecurityPolicy operation to delete a custom policy.
Configure a TLS security policy
Application Load Balancer (ALB) Extensible Edition instances currently support only the system default policy tls_cipher_policy_1_0_to_1_3.
Console
-
When you create an HTTPS listener, select a TLS security policy on the Configure SSL certificate tab. When you quickly create an HTTPS listener, select a TLS security policy in the Quick Create listener dialog box.
-
To modify a TLS security policy: On the listener tab of the instance details page, click the ID of the target HTTPS listener. On the listener details page, modify the TLS security policy in the SSL certificate area.
API
When you call the CreateListener operation to create an HTTPS listener or call the UpdateListenerAttribute operation to update an HTTPS listener, set the SecurityPolicyId parameter to the ID of the TLS security policy.
-
Call the ListSystemSecurityPolicies operation to query the
SecurityPolicyIdof a system default policy. -
Call the ListSecurityPolicies operation to query the
SecurityPolicyIdof a custom policy.
Billing
TLS security policies are free of charge, but you will be charged for the ALB instances themselves.
Production environment
-
Backend traffic security: To ensure end-to-end security, deploy your ALB instance and backend servers in the same VPC. Use security groups and other policies to strictly control access.
-
TLS version: For optimal security, use TLS 1.2 and TLS 1.3, unless your application has specific compatibility requirements.
-
Rollback: If changing a TLS security policy causes issues, roll back immediately by modifying the listener configuration. Make these changes during off-peak hours.
-
Key exchange algorithm: In a production environment, avoid using the following RSA key exchange cipher suites unless your application has specific compatibility requirements:
AES128-GCM-SHA256,AES256-GCM-SHA384,AES128-SHA256,AES256-SHA256,AES128-SHA,AES256-SHA, andDES-CBC3-SHA. These suites do not support forward secrecy (PFS) and are vulnerable to side-channel attacks. Prefer suites that include ECDHE or DHE for key exchange.
TLS cipher suite mapping
This table cross-references TLS cipher suite names across the OpenSSL format, IANA standard format, and their hexadecimal representation.