When you configure an HTTPS listener for an Application Load Balancer (ALB), a TLS security policy sets the supported TLS versions and cipher suites. This policy governs the TLS negotiation between the ALB and clients. ALB provides several default system policies. You can also create a custom TLS security policy to meet specific requirements.
How it works
A TLS security policy is configured on the ALB to define the supported TLS versions and cipher suites for TLS negotiation. During the handshake, the client sends a list of its supported protocol versions and cipher suites in a Client Hello message. The ALB uses the policy to select a protocol version and cipher suite combination that both parties support. The ALB then sends this selection in a Server Hello response. Subsequent steps, such as key exchange and session key generation, are based on this selection.
Default system policies
Information security standards may require you to use specific TLS security policies for your ALB. The following table shows the TLS versions and cipher suites supported by the default system policies. You can configure them as needed. If the default policies do not meet your requirements, you can create a custom policy.
For Internet-facing applications with no special compatibility requirements, use the tls_cipher_policy_1_2 policy or a later version.
Console
Go to the TLS Security Policies page in the ALB console. On the Default Policy tab, you can view the policy details.
API
You can call the ListSystemSecurityPolicies operation to query the default system policies.
Custom policies
Only Standard Edition and WAF-enabled ALB instances support custom policies. Basic Edition ALB instances do not.
Create a custom policy
Console
Go to the TLS Security Policies page in the ALB console and select the region where the ALB instance is located.
Click Create Custom Policy, configure the following parameters, and then click Create.
Minimum Version: If your application has no special compatibility requirements, select TLS 1.2 or later to ensure security.
Enable TLS 1.3: To ensure the security and efficiency of network communication, you can enable this option if your services are compatible.
Cipher Suite: The cipher suites must match the TLS version.
After the policy is created, you can select it when you configure a TLS security policy for a listener.
API
You can call the CreateSecurityPolicy operation to create a custom policy. Note that the region of the custom policy must be the same as the region of the ALB instance.
Update the TLS version and cipher suites of a custom policy
Console
Go to the TLS Security Policies page in the ALB console and select the region of the custom policy.
Find the target custom policy, click Modify in the Actions column, and update the TLS version and cipher suites in the Modify TLS Security Policy dialog box.
API Operation
You can call the UpdateSecurityPolicyAttribute operation to update the attributes of a custom policy.
Copy a custom policy to another region
Console
Go to the TLS Security Policies page in the ALB console and select the region of the custom policy.
Find the target custom policy, click Replicate to Other Regions in the Actions column, select a destination region, and click OK.
API
You can call the ListSecurityPolicies operation to obtain the TLSVersions and Ciphers parameters of the custom policy. Then, use these parameters when you call the CreateSecurityPolicy operation to create a custom policy in the destination region.
Delete a custom policy
You cannot delete a custom policy that is being used by a listener. To delete the policy, you must first change the listener's TLS security policy or delete the listener.
Console
Go to the TLS Security Policies page in the ALB console and select the region of the custom policy.
Find the target custom policy, click Delete in the Actions column, and then click OK.
API
You can call the DeleteSecurityPolicy operation to delete a custom policy.
Configure a TLS security policy for a listener
Console
When you create an HTTPS listener, select a TLS Security Policy on the Configure SSL Certificate tab. When you quickly create an HTTPS listener, select a TLS Security Policy in the Quick Create Listener dialog box.
Change the TLS security policy: On the instance details page, go to the Listener tab. Click the ID of the target HTTPS listener to go to the Listener Details page. In the SSL Certificate section, change the TLS Security Policy.
API
When you call the CreateListener operation to create an HTTPS listener or the UpdateListenerAttribute operation to update the configuration of an HTTPS listener, set the SecurityPolicyId parameter to the ID of the TLS security policy.
You can call ListSystemSecurityPolicies to query the
SecurityPolicyIdof a default system policy.You can call ListSecurityPolicies to query the
SecurityPolicyIdof a custom policy.
Billing
TLS security policies are free. However, you are charged for the ALB instance. For more information, see Billing.
Going live
Backend traffic security: To ensure end-to-end security, deploy the ALB and backend servers in the same VPC. Use policies, such as security groups, to strictly restrict access.
TLS version: If your application has no special compatibility requirements, use TLS 1.2 and TLS 1.3 to ensure security.
Change rollback: If an issue occurs after you change the TLS security policy, immediately roll back the change by modifying the listener configuration. Make these changes during off-peak hours.