All Products
Search
Document Center

Server Load Balancer:TLS security policies

Last Updated:Jul 27, 2023

You can select a TLS security policy when you create an HTTPS listener. HTTPS listeners support custom and default TLS security policies.

Default TLS security policies

A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. A later TLS version offers higher security but comprises compatibility with browsers.

Security policy

Supported TLS version

Supported cipher suite

tls_cipher_policy_1_0

TLS 1.0, TLS 1.1, and TLS 1.2

The cipher suite that you select must be supported by one of the TLS versions that you use. For example, if you use TLS 1.3, you must select the cipher suites that are supported by TLS 1.3.

  • TLS 1.0 and TLS 1.1 support the following cipher suites:

    • ECDHE-ECDSA-AES128-SHA

    • ECDHE-ECDSA-AES256-SHA

    • ECDHE-RSA-AES128-SHA

    • ECDHE-RSA-AES256-SHA

    • AES128-SHA

    • AES256-SHA

    • DES-CBC3-SHA

  • TLS 1.2 supports the following cipher suites:

    • ECDHE-ECDSA-AES128-SHA

    • ECDHE-ECDSA-AES256-SHA

    • ECDHE-RSA-AES128-SHA

    • ECDHE-RSA-AES256-SHA

    • AES128-SHA

    • AES256-SHA

    • DES-CBC3-SHA

    • ECDHE-ECDSA-AES128-GCM-SHA256

    • ECDHE-ECDSA-AES256-GCM-SHA384

    • ECDHE-ECDSA-AES128-SHA256

    • ECDHE-ECDSA-AES256-SHA384

    • ECDHE-RSA-AES128-GCM-SHA256

    • ECDHE-RSA-AES256-GCM-SHA384

    • ECDHE-RSA-AES128-SHA256

    • ECDHE-RSA-AES256-SHA384

    • AES128-GCM-SHA256

    • AES256-GCM-SHA384

    • AES128-SHA256

    • AES256-SHA256

  • TLS 1.3 supports the following cipher suites:

    • TLS_AES_128_GCM_SHA256

    • TLS_AES_256_GCM_SHA384

    • TLS_CHACHA20_POLY1305_SHA256

    • TLS_AES_128_CCM_SHA256

    • TLS_AES_128_CCM_8_SHA256

tls_cipher_policy_1_1

TLS 1.1 and TLS 1.2

tls_cipher_policy_1_2

TLSv1.2

tls_cipher_policy_1_2_strict

TLSv1.2

tls_cipher_policy_1_2_strict_with_1_3

TLS 1.2 and TLS 1.3

Custom policies

To create a custom TLS security policy, perform the following steps:

  1. Log on to the ALB console.
  2. In the left-side navigation pane, choose ALB > TLS Security Policies.

  3. On the TLS Security Policies page, click Create Custom Policy on the Custom Policy tab.

  4. Set the following parameters and click Create.

    Parameter

    Description

    Name

    Enter a name for the TLS security policy. The name must be 2 to 128 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-). The name must start with a letter.

    Minimum Version

    Select the version of the TLS security policy that you want to create.

    • TLS 1.0 or later

    • TLS 1.1 or later

    • TLS 1.2 or later

    Enable TLS 1.3

    Select whether to enable TLS 1.3.

    Warning

    To enable TLS 1.3, you must select a cipher suite that is supported by TLS 1.3. If you do not select the supported cipher suite, the system may fail to create the connection.

    Cipher Suite

    Select a cipher suite that is supported by the specified TLS version. For more information about cipher suites that are supported by each TLS version, see Default TLS security policies.

Cipher suites supported by different TLS security policies

In the following table, a check mark () indicates that the cipher suite is supported and a hyphen (-) indicates that the cipher suite is not supported.

Security policy

tls_cipher_policy_1_0

tls_cipher_policy_1_1

tls_cipher_policy_1_2

tls_cipher_policy_1_2_strict

tls_cipher_policy_1_2_strict_with_1_3

TLS

-

1.0, 1.1, and 1.2

1.1 and 1.2

1.2

1.2

1.2 and 1.3

CIPHER

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

AES128-GCM-SHA256

-

-

AES256-GCM-SHA384

-

-

AES128-SHA256

-

-

AES256-SHA256

-

-

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES256-SHA

AES128-SHA

-

-

AES256-SHA

-

-

DES-CBC3-SHA

-

-

TLS_AES_128_GCM_SHA256

-

-

-

-

TLS_AES_256_GCM_SHA384

-

-

-

-

TLS_CHACHA20_POLY1305_SHA256

-

-

-

-

TLS_AES_128_CCM_SHA256

-

-

-

-

TLS_AES_128_CCM_8_SHA256

-

-

-

-

ECDHE-ECDSA-AES128-GCM-SHA256

-

-

-

-

ECDHE-ECDSA-AES256-GCM-SHA384

-

-

-

-

ECDHE-ECDSA-AES128-SHA256

-

-

-

-

ECDHE-ECDSA-AES256-SHA384

-

-

-

-

ECDHE-ECDSA-AES128-SHA

-

-

-

-

ECDHE-ECDSA-AES256-SHA

-

-

-

-