When you configure an HTTPS Listener for an Application Load Balancer (ALB) instance, its TLS security policy dictates the TLS protocol versions and cipher suites used for negotiating with a client. ALB provides several predefined default policies. If these policies do not meet your security requirements, you can create a custom policy.
How it works
A TLS security policy on an ALB instance defines the TLS protocol versions and cipher suites the instance supports for TLS negotiation. During the TLS handshake, the client sends a list of its supported protocol versions and cipher suites in the Client Hello message. Based on this policy, the ALB instance selects a protocol and cipher suite that both it and the client support, then responds with a Server Hello message. The selected combination determines subsequent steps, such as key exchange and session key generation.
Default policies
Various information security standards may require specific TLS security policies for your ALB instance. Review the table below to find a default policy that meets your security and compliance requirements. If none meet your needs, you can create a custom policy.
For Internet-facing applications without special compatibility requirements, we recommend using tls_cipher_policy_1_2 or a stricter policy.
Console
Go to the TLS Security Policies page in the ALB console. On the Default Policy tab, you can view the details of each policy.
API
Call the ListSystemSecurityPolicies operation to query the default policies.
Custom policies
Custom policies are only supported by Standard and WAF-enabled ALB instances. Basic ALB instances do not support this feature.
Create a custom policy
Console
Go to the TLS Security Policies page in the ALB console and select the region of your ALB instance.
Click Create Custom Policy. Configure the following parameters and click Create.
Minimum Version: If your services have no special compatibility requirements, select TLS 1.2 or Later to ensure security.
Enable TLS 1.3: For stronger security and better performance, select this option if your clients and backend services support it.
Cipher Suite: The selected cipher suites must be compatible with the chosen TLS protocol versions.
After the policy is created, you can select it when you associate a TLS security policy with a listener.
API
Call the CreateSecurityPolicy operation to create a custom policy. To use it for an ALB instance, their regions must match.
Update a custom policy
Console
Go to the TLS Security Policies page in the ALB console and select the region of the custom policy.
Find the target custom policy and click Modify in the Actions column. In the Modify TLS Security Policy dialog box, update the TLS protocol versions and cipher suites.
API
Call the UpdateSecurityPolicyAttribute operation to update the attributes of a custom policy.
Copy a custom policy to other regions
Console
Go to the TLS Security Policies page in the ALB console and select the region of the custom policy.
Find the target custom policy, click Replicate to Other Regions in the Actions column, select the destination regions, and click OK.
API
Call the ListSecurityPolicies operation to retrieve the TLSVersions and Ciphers parameters of the custom policy. Then, call the CreateSecurityPolicy operation in the destination region, passing these parameters.
Delete a custom policy
You cannot delete a custom policy that is associated with a listener. To delete the policy, you must first change the listener's TLS security policy or delete the listener.
Console
Go to the TLS Security Policies page in the ALB console and select the region of the custom policy.
Find the target custom policy, click Delete in the Actions column, then click OK.
API
Call the DeleteSecurityPolicy operation to delete a custom policy.
Associate a TLS security policy with a listener
Console
When you create an HTTPS listener, select a TLS Security Policy in the Configure SSL Certificate step. When you quick create an HTTPS listener, select a TLS Security Policy in the Quick Create Listener dialog box.
To change a listener's policy, navigate to the details page for that listener. On the Listener Details tab, in the SSL Certificate section, click the edit icon next to the currently used policy and select a new TLS Security Policy.
API
When you call the CreateListener operation to create an HTTPS listener or the UpdateListenerAttribute operation to update an HTTPS listener, specify the TLS security policy in the SecurityPolicyId parameter.
You can call the ListSystemSecurityPolicies operation to retrieve the
SecurityPolicyIdof a default policy.You can call the ListSecurityPolicies operation to query the
SecurityPolicyIdof a custom policy.
Billing
TLS security policies are free of charge. You are charged for purchasing and using ALB instances.
Apply in production
Backend flow security: To ensure end-to-end security, deploy your ALB instance and backend servers within the same Virtual Private Cloud (VPC). Use security groups and other policies to strictly control access.
TLS protocol version: If your application has no special compatibility requirements, use TLS 1.2 and TLS 1.3 to ensure security.
Rollback: If you encounter issues after changing the TLS security policy, you can revert to the previous policy by editing the listener's configuration. Make these changes during off-peak hours.