docs.aws.amazon.com Open in urlscan Pro
108.138.36.90 Public Scan

Back to summary

Submitted URL:
http://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies
Effective URL:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
Submission: On January 15 via api (January 15th 2024, 9:43:05 pm UTC) from US — Scanned from DE

Form analysis
0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies

CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.

ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.

PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed

FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed

ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.

CancelSave preferences

UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss

Create an AWS Account
1. AWS
2. ...

3. Documentation
4. Elastic Load Balancing
5. Application Load Balancers

Feedback
Preferences

ELASTIC LOAD BALANCING

APPLICATION LOAD BALANCERS

* What is an Application Load Balancer?
* Getting started
* Tutorial: Create an Application Load Balancer using the AWS CLI
* Load balancers
* Create a load balancer
* Update Availability Zones
* Update security groups
* Update the address type
* Update tags
* Delete a load balancer
* Zonal shift

* Listeners and rules
* Create an HTTP listener
* Create an HTTPS listener
* Update listener rules
* Update an HTTPS listener
* Use mutual TLS authentication
* Authenticate users
* X-forwarded headers
* Update tags
* Delete a listener

* Target groups
* Create a target group
* Configure health checks
* Cross-zone load balancing
* Target group health
* Register targets
* Sticky sessions
* Lambda functions as targets
* Update tags
* Delete a target group

* Monitor your load balancers
* CloudWatch metrics
* Access logs
* Enable access logs
* Disable access logs

* Connection logs
* Enable connection logs
* Disable connection logs

* Request tracing
* CloudTrail logs

* Troubleshoot your load balancers
* Quotas
* Document history

Create an HTTPS listener for your Application Load Balancer - Elastic Load
Balancing
AWSDocumentationElastic Load BalancingApplication Load Balancers
SSL certificatesSecurity policiesAdd an HTTPS listener

CREATE AN HTTPS LISTENER FOR YOUR APPLICATION LOAD BALANCER

PDFRSS

A listener checks for connection requests. You define a listener when you create
your load balancer, and you can add listeners to your load balancer at any time.

To create an HTTPS listener, you must deploy at least one SSL server certificate
on your load balancer. The load balancer uses a server certificate to terminate
the front-end connection and then decrypt requests from clients before sending
them to the targets. You must also specify a security policy, which is used to
negotiate secure connections between clients and the load balancer.

If you need to pass encrypted traffic to targets without the load balancer
decrypting it, you can create a Network Load Balancer or Classic Load Balancer
with a TCP listener on port 443. With a TCP listener, the load balancer passes
encrypted traffic through to the targets without decrypting it.

Application Load Balancers do not support ED25519 keys.

The information on this page helps you create an HTTPS listener for your load
balancer. To add an HTTP listener to your load balancer, see Create an HTTP
listener for your Application Load Balancer.

CONTENTS

* SSL certificates
* Default certificate
* Certificate list
* Certificate renewal
* Security policies
* TLS 1.3 security policies
* FIPS security policies
* FS supported policies
* TLS 1.0 - 1.2 security policies
* TLS protocols and ciphers
* Add an HTTPS listener

SSL CERTIFICATES

The load balancer requires X.509 certificates (SSL/TLS server certificates).
Certificates are a digital form of identification issued by a certificate
authority (CA). A certificate contains identification information, a validity
period, a public key, a serial number, and the digital signature of the issuer.

When you create a certificate for use with your load balancer, you must specify
a domain name. The domain name on the certificate must match the custom domain
name record so that we can verify the TLS connection. If they do not match, the
traffic is not encrypted.

You must specify a fully qualified domain name (FQDN) for your certificate, such
as www.example.com or an apex domain name such as example.com. You can also use
an asterisk (*) as a wild card to protect several site names in the same domain.
When you request a wild-card certificate, the asterisk (*) must be in the
leftmost position of the domain name and can protect only one subdomain level.
For instance, *.example.com protects corp.example.com, and images.example.com,
but it cannot protect test.login.example.com. Also note that *.example.com
protects only the subdomains of example.com, it does not protect the bare or
apex domain (example.com). The wild-card name appears in the Subject field and
in the Subject Alternative Name extension of the certificate. For more
information about public certificates, see Requesting a public certificate in
the AWS Certificate Manager User Guide.

We recommend that you create certificates for your load balancer using AWS
Certificate Manager (ACM). ACM supports RSA certificates with 2048, 3072, and
4096-bit key lengths, and all ECDSA certificates. ACM integrates with Elastic
Load Balancing so that you can deploy the certificate on your load balancer. For
more information, see the AWS Certificate Manager User Guide.

Alternatively, you can use SSL/TLS tools to create a certificate signing request
(CSR), then get the CSR signed by a CA to produce a certificate, then import the
certificate into ACM or upload the certificate to AWS Identity and Access
Management (IAM). For more information about importing certificates into ACM,
see Importing certificates in the AWS Certificate Manager User Guide. For more
information about uploading certificates to IAM, see Working with server
certificates in the IAM User Guide.

DEFAULT CERTIFICATE

When you create an HTTPS listener, you must specify exactly one certificate.
This certificate is known as the default certificate. You can replace the
default certificate after you create the HTTPS listener. For more information,
see Replace the default certificate.

If you specify additional certificates in a certificate list, the default
certificate is used only if a client connects without using the Server Name
Indication (SNI) protocol to specify a hostname or if there are no matching
certificates in the certificate list.

If you do not specify additional certificates but need to host multiple secure
applications through a single load balancer, you can use a wildcard certificate
or add a Subject Alternative Name (SAN) for each additional domain to your
certificate.

CERTIFICATE LIST

After you create an HTTPS listener, it has a default certificate and an empty
certificate list. You can optionally add certificates to the certificate list
for the listener. Using a certificate list enables the load balancer to support
multiple domains on the same port and provide a different certificate for each
domain. For more information, see Add certificates to the certificate list.

The load balancer uses a smart certificate selection algorithm with support for
SNI. If the hostname provided by a client matches a single certificate in the
certificate list, the load balancer selects this certificate. If a hostname
provided by a client matches multiple certificates in the certificate list, the
load balancer selects the best certificate that the client can support.
Certificate selection is based on the following criteria in the following order:

* Public key algorithm (prefer ECDSA over RSA)

* Hashing algorithm (prefer SHA over MD5)

* Key length (prefer the largest)

* Validity period

The load balancer access log entries indicate the hostname specified by the
client and the certificate presented to the client. For more information, see
Access log entries.

CERTIFICATE RENEWAL

Each certificate comes with a validity period. You must ensure that you renew or
replace each certificate for your load balancer before its validity period ends.
This includes the default certificate and certificates in a certificate list.
Renewing or replacing a certificate does not affect in-flight requests that were
received by the load balancer node and are pending routing to a healthy target.
After a certificate is renewed, new requests use the renewed certificate. After
a certificate is replaced, new requests use the new certificate.

You can manage certificate renewal and replacement as follows:

* Certificates provided by AWS Certificate Manager and deployed on your load
balancer can be renewed automatically. ACM attempts to renew certificates
before they expire. For more information, see Managed renewal in the AWS
Certificate Manager User Guide.

* If you imported a certificate into ACM, you must monitor the expiration date
of the certificate and renew it before it expires. For more information, see
Importing certificates in the AWS Certificate Manager User Guide.

* If you imported a certificate into IAM, you must create a new certificate,
import the new certificate to ACM or IAM, add the new certificate to your
load balancer, and remove the expired certificate from your load balancer.

SECURITY POLICIES

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation
configuration, known as a security policy, to negotiate SSL connections between
a client and the load balancer. A security policy is a combination of protocols
and ciphers. The protocol establishes a secure connection between a client and a
server and ensures that all data passed between the client and your load
balancer is private. A cipher is an encryption algorithm that uses encryption
keys to create a coded message. Protocols use several ciphers to encrypt data
over the internet. During the connection negotiation process, the client and the
load balancer present a list of ciphers and protocols that they each support, in
order of preference. By default, the first cipher on the server's list that
matches any one of the client's ciphers is selected for the secure connection.

CONSIDERATIONS:

* Application Load Balancers support SSL renegotiation for target connections
only.

* Application Load Balancers do not support custom security policies.

* The ELBSecurityPolicy-TLS13-1-2-2021-06 policy is the default security policy
for HTTPS listeners created using the AWS Management Console.

* The ELBSecurityPolicy-2016-08 policy is the default security policy for HTTPS
listeners created using the AWS CLI.

* When you create an HTTPS listener, selecting a security policy is required.

* We recommend the ELBSecurityPolicy-TLS13-1-2-2021-06 security policy,
which includes TLS 1.3, and is backwards compatible with TLS 1.2.

* You can choose the security policy that is used for front-end connections,
but not backend connections.

* For backend connections, if your HTTPS listener is using a TLS 1.3
security policy, the ELBSecurityPolicy-TLS13-1-0-2021-06 security policy
is used. Otherwise, the ELBSecurityPolicy-2016-08 security policy is used
for backend connections.

* To meet compliance and security standards that require disabling certain TLS
protocol versions, or to support legacy clients requiring deprecated ciphers,
you can use one of the ELBSecurityPolicy-TLS- security policies. To view the
TLS protocol version for requests to your Application Load Balancer, enable
access logging for your load balancer and examine the corresponding access
log entries. For more information, see Access logs for your Application Load
Balancer.

* You can restrict which security policies are available to users across your
AWS accounts and AWS Organizations by using the Elastic Load Balancing
condition keys in your IAM and service control policies (SCPs), respectively.
For more information, see Service control policies (SCPs) in the AWS
Organizations User Guide

TLS 1.3 SECURITY POLICIES

NOTE

TLS 1.3 security policies for Application Load Balancers are only supported in
the new EC2 experience. When using the old EC2 experience, TLS 1.3 security
policies are not available for selection.

Elastic Load Balancing provides the following TLS 1.3 security policies for
Application Load Balancers:

* ELBSecurityPolicy-TLS13-1-2-2021-06 (Recommended)

* ELBSecurityPolicy-TLS13-1-2-Res-2021-06

* ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

* ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

* ELBSecurityPolicy-TLS13-1-1-2021-06

* ELBSecurityPolicy-TLS13-1-0-2021-06

* ELBSecurityPolicy-TLS13-1-3-2021-06

FIPS SECURITY POLICIES

IMPORTANT

All secure listeners attached to an Application Load Balancer must use either
FIPS security policies or non-FIPS security policies; they cannot be mixed. If
an existing Application Load Balancer has two or more listeners using non-FIPS
policies and you want the listeners to use FIPS security policies instead,
remove all listeners until there is only one. Change the security policy of the
listener to FIPS and then create additional listeners using FIPS security
policies. Alternatively, you can create a new Application Load Balancer with new
listeners using only FIPS security policies.

The Federal Information Processing Standard (FIPS) is a US and Canadian
government standard that specifies the security requirements for cryptographic
modules that protect sensitive information. To learn more, see Federal
Information Processing Standard (FIPS) 140 on the AWS Cloud Security Compliance
page.

All FIPS policies leverage the AWS-LC FIPS validated cryptographic module. To
learn more, see the AWS-LC Cryptographic Module page on the NIST Cryptographic
Module Validation Program site.

Elastic Load Balancing provides the following FIPS security policies for
Application Load Balancers:

* ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04

* ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

* ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 (Recommended)

* ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

* ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

* ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

* ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

* ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

FS SUPPORTED POLICIES

Elastic Load Balancing provides the following FS (Forward Secrecy) supported
security policies for Application Load Balancers:

* ELBSecurityPolicy-FS-1-2-Res-2020-10

* ELBSecurityPolicy-FS-1-2-Res-2019-08

* ELBSecurityPolicy-FS-1-2-2019-08

* ELBSecurityPolicy-FS-1-1-2019-08

* ELBSecurityPolicy-FS-2018-06

TLS 1.0 - 1.2 SECURITY POLICIES

Elastic Load Balancing provides the following TLS 1.0 - 1.2 security policies
for Application Load Balancers:

* ELBSecurityPolicy-TLS-1-2-Ext-2018-06

* ELBSecurityPolicy-TLS-1-2-2017-01

* ELBSecurityPolicy-TLS-1-1-2017-01

* ELBSecurityPolicy-2016-08

* ELBSecurityPolicy-TLS-1-0-2015-04

* ELBSecurityPolicy-2015-05 (identical to ELBSecurityPolicy-2016-08)

TLS PROTOCOLS AND CIPHERS

TLS 1.3

The following table describes the supported TLS protocols and ciphers for the
available TLS 1.3 security policies.

Note: The ELBSecurityPolicy- prefix has been removed from the policy names in
the security policies row.

Example: Security policy ELBSecurityPolicy-TLS13-1-2-2021-06 is displayed as
TLS13-1-2-2021-06.

Security policies TLS Protocols Protocol-TLSv1 ✓ Protocol-TLSv1.1 ✓ ✓
Protocol-TLSv1.2 ✓ ✓ ✓ ✓ ✓ ✓ Protocol-TLSv1.3 ✓ ✓ ✓ ✓ ✓ ✓ ✓ TLS Ciphers
TLS_AES_128_GCM_SHA256 ✓ ✓ ✓ ✓ ✓ ✓ ✓ TLS_AES_256_GCM_SHA384 ✓ ✓ ✓ ✓ ✓ ✓ ✓
TLS_CHACHA20_POLY1305_SHA256 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES128-GCM-SHA256 ✓ ✓ ✓ ✓
✓ ✓ ECDHE-RSA-AES128-GCM-SHA256 ✓ ✓ ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES128-SHA256 ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES128-SHA256 ✓ ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES128-SHA ✓ ✓ ✓
ECDHE-RSA-AES128-SHA ✓ ✓ ✓ ECDHE-ECDSA-AES256-GCM-SHA384 ✓ ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES256-GCM-SHA384 ✓ ✓ ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES256-SHA384 ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES256-SHA384 ✓ ✓ ✓ ✓ ✓ ECDHE-RSA-AES256-SHA ✓ ✓ ✓
ECDHE-ECDSA-AES256-SHA ✓ ✓ ✓ AES128-GCM-SHA256 ✓ ✓ ✓ ✓ AES128-SHA256 ✓ ✓ ✓ ✓
AES128-SHA ✓ ✓ ✓ AES256-GCM-SHA384 ✓ ✓ ✓ ✓ AES256-SHA256 ✓ ✓ ✓ ✓ AES256-SHA ✓ ✓
✓

TO CREATE AN HTTPS LISTENER THAT USES A TLS 1.3 POLICY USING THE CLI

Use the create-listener command with any TLS 1.3 security policy.

The example uses the ELBSecurityPolicy-TLS13-1-2-2021-06 security policy.

aws elbv2 create-listener --name my-listener \
--protocol HTTPS --port 443 \
--ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06

TO MODIFY AN HTTPS LISTENER TO USE A TLS 1.3 POLICY USING THE CLI

Use the modify-listener command with any TLS 1.3 security policy.

The example uses the ELBSecurityPolicy-TLS13-1-2-2021-06 security policy.

aws elbv2 modify-listener \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/abcdef01234567890/1234567890abcdef0 \
--ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06

TO VIEW THE SECURITY POLICIES USED BY A LISTENER USING THE CLI

Use the describe-listener command with the arn of your listener.

aws elbv2 describe-listener \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/abcdef01234567890/1234567890abcdef0

TO VIEW THE CONFIGURATION OF A TLS 1.3 SECURITY POLICY USING THE CLI

Use the describe-ssl-policies command with any TLS 1.3 security policy.

The example uses the ELBSecurityPolicy-TLS13-1-2-2021-06 security policy.

aws elbv2 describe-ssl-policies \
--names ELBSecurityPolicy-TLS13-1-2-2021-06

FIPS

IMPORTANT

Policies ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 and
ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 are provided for legacy compatibility
only. While they utilize FIPS cryptography using the FIPS140 module, they may
not conform to the latest NIST guidance for TLS configuration.

The following table describes the supported TLS protocols and ciphers for the
available FIPS security policies.

Note: The ELBSecurityPolicy- prefix has been removed from the policy names in
the security policies row.

Example: Security policy ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 is displayed
as TLS13-1-2-FIPS-2023-04.

Security policies TLS Protocols Protocol-TLSv1 ✓ Protocol-TLSv1.1 ✓ ✓
Protocol-TLSv1.2 ✓ ✓ ✓ ✓ ✓ ✓ ✓ Protocol-TLSv1.3 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ TLS Ciphers
TLS_AES_128_GCM_SHA256 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ TLS_AES_256_GCM_SHA384 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
ECDHE-ECDSA-AES128-GCM-SHA256 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ECDHE-RSA-AES128-GCM-SHA256 ✓ ✓ ✓ ✓
✓ ✓ ✓ ECDHE-ECDSA-AES128-SHA256 ✓ ✓ ✓ ✓ ✓ ✓ ECDHE-RSA-AES128-SHA256 ✓ ✓ ✓ ✓ ✓ ✓
ECDHE-ECDSA-AES128-SHA ✓ ✓ ✓ ✓ ECDHE-RSA-AES128-SHA ✓ ✓ ✓ ✓
ECDHE-ECDSA-AES256-GCM-SHA384 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ECDHE-RSA-AES256-GCM-SHA384 ✓ ✓ ✓ ✓
✓ ✓ ✓ ECDHE-ECDSA-AES256-SHA384 ✓ ✓ ✓ ✓ ✓ ✓ ECDHE-RSA-AES256-SHA384 ✓ ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES256-SHA ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES256-SHA ✓ ✓ ✓ ✓ AES128-GCM-SHA256 ✓
✓ ✓ ✓ AES128-SHA256 ✓ ✓ ✓ ✓ AES128-SHA ✓ ✓ ✓ AES256-GCM-SHA384 ✓ ✓ ✓ ✓
AES256-SHA256 ✓ ✓ ✓ ✓ AES256-SHA ✓ ✓ ✓

TO CREATE AN HTTPS LISTENER THAT USES A FIPS POLICY USING THE CLI

Use the create-listener command with any FIPS security policy.

The example uses the ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 security policy.

aws elbv2 create-listener --name my-listener \
--protocol HTTPS --port 443 \
--ssl-policy ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

TO MODIFY AN HTTPS LISTENER TO USE A FIPS POLICY USING THE CLI

Use the modify-listener command with any FIPS security policy.

The example uses the ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 security policy.

TO VIEW THE SECURITY POLICIES USED BY A LISTENER USING THE CLI

Use the describe-listener command with the arn of your listener.

aws elbv2 describe-listener \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/abcdef01234567890/1234567890abcdef0

TO VIEW THE CONFIGURATION OF A FIPS SECURITY POLICY USING THE CLI

Use the describe-ssl-policies command with any FIPS security policy.

The example uses the ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 security policy.

aws elbv2 describe-ssl-policies \
--names ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

The following table describes the supported TLS protocols and ciphers for the
available FS supported security policies.

Note: The ELBSecurityPolicy- prefix has been removed from the policy names in
the security policies row.

Example: Security policy ELBSecurityPolicy-FS-2018-06 is displayed as
FS-2018-06.

Security policies TLS Protocols Protocol-TLSv1 ✓ ✓ Protocol-TLSv1.1 ✓ ✓ ✓
Protocol-TLSv1.2 ✓ ✓ ✓ ✓ ✓ ✓ TLS Ciphers ECDHE-ECDSA-AES128-GCM-SHA256 ✓ ✓ ✓ ✓ ✓
✓ ECDHE-RSA-AES128-GCM-SHA256 ✓ ✓ ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES128-SHA256 ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES128-SHA256 ✓ ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES128-SHA ✓ ✓ ✓ ✓
ECDHE-RSA-AES128-SHA ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES256-GCM-SHA384 ✓ ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES256-GCM-SHA384 ✓ ✓ ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES256-SHA384 ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES256-SHA384 ✓ ✓ ✓ ✓ ✓ ECDHE-RSA-AES256-SHA ✓ ✓ ✓ ✓
ECDHE-ECDSA-AES256-SHA ✓ ✓ ✓ ✓ AES128-GCM-SHA256 ✓ AES128-SHA256 ✓ AES128-SHA ✓
AES256-GCM-SHA384 ✓ AES256-SHA256 ✓ AES256-SHA ✓

TO CREATE AN HTTPS LISTENER THAT USES A FS SUPPORTED POLICY USING THE CLI

Use the create-listener command with any FS supported security policy.

The example uses the ELBSecurityPolicy-FS-2018-06 security policy.

aws elbv2 create-listener --name my-listener \
--protocol HTTPS --port 443 \
--ssl-policy ELBSecurityPolicy-FS-2018-06

TO MODIFY AN HTTPS LISTENER TO USE A FS SUPPORTED POLICY USING THE CLI

Use the modify-listener command with any FS supported security policy.

The example uses the ELBSecurityPolicy-FS-2018-06 security policy.

TO VIEW THE SECURITY POLICIES USED BY A LISTENER USING THE CLI

Use the describe-listener command with the arn of your listener.

aws elbv2 describe-listener \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/abcdef01234567890/1234567890abcdef0

TO VIEW THE CONFIGURATION OF A FS SUPPORTED SECURITY POLICY USING THE CLI

Use the describe-ssl-policies command with any FS supported security policy.

The example uses the ELBSecurityPolicy-FS-2018-06 security policy.

aws elbv2 describe-ssl-policies \
--names ELBSecurityPolicy-FS-2018-06

TLS 1.0 - 1.2

The following table describes the supported TLS protocols and ciphers for the
available TLS 1.0-1.2 security policies.

Note: The ELBSecurityPolicy- prefix has been removed from the policy names in
the security policies row.

Example: Security policy ELBSecurityPolicy-TLS-1-2-Ext-2018-06 is displayed as
TLS-1-2-Ext-2018-06.

Security policies TLS Protocols Protocol-TLSv1 ✓ ✓ Protocol-TLSv1.1 ✓ ✓ ✓
Protocol-TLSv1.2 ✓ ✓ ✓ ✓ ✓ TLS Ciphers ECDHE-ECDSA-AES128-GCM-SHA256 ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES128-GCM-SHA256 ✓ ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES128-SHA256 ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES128-SHA256 ✓ ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES128-SHA ✓ ✓ ✓ ✓
ECDHE-RSA-AES128-SHA ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES256-GCM-SHA384 ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES256-GCM-SHA384 ✓ ✓ ✓ ✓ ✓ ECDHE-ECDSA-AES256-SHA384 ✓ ✓ ✓ ✓ ✓
ECDHE-RSA-AES256-SHA384 ✓ ✓ ✓ ✓ ✓ ECDHE-RSA-AES256-SHA ✓ ✓ ✓ ✓
ECDHE-ECDSA-AES256-SHA ✓ ✓ ✓ ✓ AES128-GCM-SHA256 ✓ ✓ ✓ ✓ ✓ AES128-SHA256 ✓ ✓ ✓ ✓
✓ AES128-SHA ✓ ✓ ✓ ✓ AES256-GCM-SHA384 ✓ ✓ ✓ ✓ ✓ AES256-SHA256 ✓ ✓ ✓ ✓ ✓
AES256-SHA ✓ ✓ ✓ ✓ DES-CBC3-SHA ✓

* Do not use this policy unless you must support a legacy client that requires
the DES-CBC3-SHA cipher, which is a weak cipher.

TO CREATE AN HTTPS LISTENER THAT USES A TLS 1.0-1.2 POLICY USING THE CLI

Use the create-listener command with any TLS 1.0-1.2 supported security policy.

The example uses the ELBSecurityPolicy-2016-08 security policy.

aws elbv2 create-listener --name my-listener \
--protocol HTTPS --port 443 \
--ssl-policy ELBSecurityPolicy-2016-08

TO MODIFY AN HTTPS LISTENER TO USE A TLS 1.0-1.2 POLICY USING THE CLI

Use the modify-listener command with any TLS 1.0-1.2 supported security policy.

The example uses the ELBSecurityPolicy-2016-08 security policy.

TO VIEW THE SECURITY POLICIES USED BY A LISTENER USING THE CLI

Use the describe-listener command with the arn of your listener.

aws elbv2 describe-listener \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/abcdef01234567890/1234567890abcdef0

TO VIEW THE CONFIGURATION OF A TLS 1.0-1.2 SECURITY POLICY USING THE CLI

Use the describe-ssl-policies command with any TLS 1.0-1.2 supported security
policy.

The example uses the ELBSecurityPolicy-2016-08 security policy.

aws elbv2 describe-ssl-policies \
--names ELBSecurityPolicy-2016-08

anchoranchoranchoranchor
* TLS 1.3
* FIPS
* FS
* TLS 1.0 - 1.2