Security policies for your Application Load Balancer - Elastic Load Balancing
TLS security policiesFIPS security policiesFS supported policies

Security policies for your Application Load Balancer

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection.

Considerations

  • Application Load Balancers support SSL renegotiation for target connections only.

  • Application Load Balancers do not support custom security policies.

  • The ELBSecurityPolicy-TLS13-1-2-2021-06 policy is the default security policy for HTTPS listeners created using the AWS Management Console.

  • The ELBSecurityPolicy-2016-08 policy is the default security policy for HTTPS listeners created using the AWS CLI.

  • When you create an HTTPS listener, selecting a security policy is required.

    • We recommend the ELBSecurityPolicy-TLS13-1-2-2021-06 security policy, which includes TLS 1.3, and is backwards compatible with TLS 1.2.

  • You can choose the security policy that is used for front-end connections, but not backend connections.

    • For backend connections, if any of your HTTPS listeners are using a TLS 1.3 security policy, the ELBSecurityPolicy-TLS13-1-0-2021-06 security policy is used. Otherwise, the ELBSecurityPolicy-2016-08 security policy is used for backend connections.

  • To meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients requiring deprecated ciphers, you can use one of the ELBSecurityPolicy-TLS- security policies. To view the TLS protocol version for requests to your Application Load Balancer, enable access logging for your load balancer and examine the corresponding access log entries. For more information, see Access logs for your Application Load Balancer.

  • You can restrict which security policies are available to users across your AWS accounts and AWS Organizations by using the Elastic Load Balancing condition keys in your IAM and service control policies (SCPs), respectively. For more information, see Service control policies (SCPs) in the AWS Organizations User Guide

  • Application Load Balancers support TLS resumption using PSK (TLS 1.3) and session IDs/session Tickets (TLS 1.2 and older). Resumptions are only supported in connections to the same Application Load Balancer IP address. The 0-RTT Data feature and early_data extension are not implemented.

You can describe the protocols and ciphers using the describe-ssl-policies AWS CLI command, or refer to the tables below.

TLS security policies

You can use the TLS security policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.

Protocols by policy

The following table describes the protocols that each TLS security policy supports.

Security policies TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-TLS13-1-3-2021-06 Yes No No No
ELBSecurityPolicy-TLS13-1-2-2021-06 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Res-2021-06 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 Yes Yes No No
ELBSecurityPolicy-TLS13-1-1-2021-06 Yes Yes Yes No
ELBSecurityPolicy-TLS13-1-0-2021-06 Yes Yes Yes Yes
ELBSecurityPolicy-TLS-1-2-Ext-2018-06 No Yes No No
ELBSecurityPolicy-TLS-1-2-2017-01 No Yes No No
ELBSecurityPolicy-TLS-1-1-2017-01 No Yes Yes No
ELBSecurityPolicy-2016-08 No Yes Yes Yes
ELBSecurityPolicy-2015-05 No Yes Yes Yes

Ciphers by policy

The following table describes the ciphers that each TLS security policy supports.

Security policy Ciphers
ELBSecurityPolicy-TLS13-1-3-2021-06

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256
ELBSecurityPolicy-TLS13-1-2-2021-06

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384
ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384
ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256
ELBSecurityPolicy-TLS13-1-1-2021-06

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS13-1-0-2021-06

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS-1-2-2017-01

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256
ELBSecurityPolicy-TLS-1-1-2017-01

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-2016-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-2015-05

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

Policies by cipher

The following table describes the TLS security policies that support each cipher.

Cipher name Security policies Cipher suite

OpenSSL – TLS_AES_128_GCM_SHA256

IANA – TLS_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-3-2021-06

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

1301

OpenSSL – TLS_AES_256_GCM_SHA384

IANA – TLS_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-3-2021-06

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

1302

OpenSSL – TLS_CHACHA20_POLY1305_SHA256

IANA – TLS_CHACHA20_POLY1305_SHA256

  • ELBSecurityPolicy-TLS13-1-3-2021-06

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

1303

OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c02b

OpenSSL – ECDHE-RSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c02f

OpenSSL – ECDHE-ECDSA-AES128-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c023

OpenSSL – ECDHE-RSA-AES128-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c027

OpenSSL – ECDHE-ECDSA-AES128-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c009

OpenSSL – ECDHE-RSA-AES128-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c013

OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c02c

OpenSSL – ECDHE-RSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c030

OpenSSL – ECDHE-ECDSA-AES256-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c024

OpenSSL – ECDHE-RSA-AES256-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c028

OpenSSL – ECDHE-ECDSA-AES256-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c00a

OpenSSL – ECDHE-RSA-AES256-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c014

OpenSSL – AES128-GCM-SHA256

IANA – TLS_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

9c

OpenSSL – AES128-SHA256

IANA – TLS_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

3c

OpenSSL – AES128-SHA

IANA – TLS_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

2f

OpenSSL – AES256-GCM-SHA384

IANA – TLS_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

9d

OpenSSL – AES256-SHA256

IANA – TLS_RSA_WITH_AES_256_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

3d

OpenSSL – AES256-SHA

IANA – TLS_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

35

FIPS security policies

Important

All secure listeners attached to an Application Load Balancer must use either FIPS security policies or non-FIPS security policies; they cannot be mixed. If an existing Application Load Balancer has two or more listeners using non-FIPS policies and you want the listeners to use FIPS security policies instead, remove all listeners until there is only one. Change the security policy of the listener to FIPS and then create additional listeners using FIPS security policies. Alternatively, you can create a new Application Load Balancer with new listeners using only FIPS security policies.

The Federal Information Processing Standard (FIPS) is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. To learn more, see Federal Information Processing Standard (FIPS) 140 on the AWS Cloud Security Compliance page.

All FIPS policies leverage the AWS-LC FIPS validated cryptographic module. To learn more, see the AWS-LC Cryptographic Module page on the NIST Cryptographic Module Validation Program site.

Important

Policies ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 and ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 are provided for legacy compatibility only. While they utilize FIPS cryptography using the FIPS140 module, they may not conform to the latest NIST guidance for TLS configuration.

Protocols by policy

The following table describes the protocols that each FIPS security policy supports.

Security policies TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 Yes No No No
ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 Yes Yes No No
ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 Yes Yes No No
ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 Yes Yes Yes No
ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 Yes Yes Yes Yes

Ciphers by policy

The following table describes the ciphers that each FIPS security policy supports.

Security policy Ciphers
ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384
ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384
ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384
ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256
ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA
ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

Policies by cipher

The following table describes the FIPS security policies that support each cipher.

Cipher name Security policies Cipher suite

OpenSSL – TLS_AES_128_GCM_SHA256

IANA – TLS_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

1301

OpenSSL – TLS_AES_256_GCM_SHA384

IANA – TLS_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

1302

OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c02b

OpenSSL – ECDHE-RSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c02f

OpenSSL – ECDHE-ECDSA-AES128-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c023

OpenSSL – ECDHE-RSA-AES128-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c027

OpenSSL – ECDHE-ECDSA-AES128-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c009

OpenSSL – ECDHE-RSA-AES128-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c013

OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c02c

OpenSSL – ECDHE-RSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c030

OpenSSL – ECDHE-ECDSA-AES256-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c024

OpenSSL – ECDHE-RSA-AES256-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c028

OpenSSL – ECDHE-ECDSA-AES256-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c00a

OpenSSL – ECDHE-RSA-AES256-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

c014

OpenSSL – AES128-GCM-SHA256

IANA – TLS_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

9c

OpenSSL – AES128-SHA256

IANA – TLS_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

3c

OpenSSL – AES128-SHA

IANA – TLS_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

2f

OpenSSL – AES256-GCM-SHA384

IANA – TLS_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

9d

OpenSSL – AES256-SHA256

IANA – TLS_RSA_WITH_AES_256_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

3d

OpenSSL – AES256-SHA

IANA – TLS_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

35

FS supported policies

FS (Forward Secrecy) supported security policies provide additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.

Protocols by policy

The following table describes the protocols that each FS supported security policy supports.

Security policies TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-FS-1-2-Res-2020-10 No Yes No No
ELBSecurityPolicy-FS-1-2-Res-2019-08 No Yes No No
ELBSecurityPolicy-FS-1-2-2019-08 No Yes No No
ELBSecurityPolicy-FS-1-1-2019-08 No Yes Yes No
ELBSecurityPolicy-FS-2018-06 No Yes Yes Yes

Ciphers by policy

The following table describes the ciphers that each FS supported security policy supports.

Security policy Ciphers
ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384
ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384
ELBSecurityPolicy-FS-1-2-2019-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA
ELBSecurityPolicy-FS-1-1-2019-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA
ELBSecurityPolicy-FS-2018-06

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

Policies by cipher

The following table describes the FS supported security policies that support each cipher.

Cipher name Security policies Cipher suite

OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c02b

OpenSSL – ECDHE-RSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c02f

OpenSSL – ECDHE-ECDSA-AES128-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c023

OpenSSL – ECDHE-RSA-AES128-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c027

OpenSSL – ECDHE-ECDSA-AES128-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c009

OpenSSL – ECDHE-RSA-AES128-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c013

OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c02c

OpenSSL – ECDHE-RSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c030

OpenSSL – ECDHE-ECDSA-AES256-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c024

OpenSSL – ECDHE-RSA-AES256-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c028

OpenSSL – ECDHE-ECDSA-AES256-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c00a

OpenSSL – ECDHE-RSA-AES256-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c014