AWS elasticloadbalancing documentation change
Summary
Updated SSL/TLS security policy documentation to include new post-quantum hybrid security policies, updated default policies, added compatibility guidelines, and expanded backend connection policy details
Security assessment
The changes introduce new post-quantum TLS security policies (with 'PQ' in their names) and hybrid key exchange algorithms to prepare for quantum-resistant cryptography. While this enhances security posture against future quantum computing threats, there is no evidence of addressing an existing active vulnerability. The changes primarily document new security features rather than patching current issues.
Diff
diff --git a/elasticloadbalancing/latest/application/describe-ssl-policies.md b/elasticloadbalancing/latest/application/describe-ssl-policies.md index 84f0009be..95ab55114 100644 --- a//elasticloadbalancing/latest/application/describe-ssl-policies.md +++ b//elasticloadbalancing/latest/application/describe-ssl-policies.md @@ -9 +9 @@ Example describe-ssl-policies commandsTLS security policiesFIPS security policie -Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection. +ELB uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection. @@ -13,4 +12,0 @@ Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuratio - * Application Load Balancers support SSL renegotiation for target connections only. - - * Application Load Balancers do not support custom security policies. - @@ -19 +15 @@ Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuratio - * Console – The default security policy is `ELBSecurityPolicy-TLS13-1-2-Res-2021-06`. + * Console – The default security policy is `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`. @@ -23 +19 @@ Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuratio - * You can choose the security policy that is used for front-end connections, but not backend connections. The security policy for backend connections depends on the listener security policy: + * To view the TLS protocol version (log field position 5) and key exchange (log field position 13) for connection requests to your load balancer, enable connection logging and examine the corresponding log entries. For more information, see [Connection logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-connection-logs.html). @@ -25 +21 @@ Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuratio - * If the HTTPS listener uses a TLS 1.3 security policy, backend connections use the `ELBSecurityPolicy-TLS13-1-0-2021-06` policy. + * Security policies with PQ in their names offer hybrid post-quantum key exchange. For compatibility, they support both classical and post-quantum ML-KEM key exchange algorithms. Clients must support the ML-KEM key exchange to use hybrid post-quantum TLS for key exchange. The hybrid post-quantum policies support SecP256r1MLKEM768, SecP384r1MLKEM1024 and X25519MLKEM768 algorithms. For more information, see [Post-quantum Cryptography](https://aws.amazon.com/security/post-quantum-cryptography/). @@ -27,3 +23 @@ Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuratio - * If the HTTPS listener uses a FIPS policy, backend connections use the `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04` policy. - - * Otherwise, backend connections use the `ELBSecurityPolicy-2016-08` policy. + * AWS recommends implementing the new post-quantum TLS (PQ-TLS) based security policy `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09` or `ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09`. This policy ensures backward compatibility by supporting clients capable of negotiating hybrid PQ-TLS, TLS 1.3 only, or TLS 1.2 only, thereby minimizing service disruption during the transition to post-quantum cryptography. You can progressively migrate to more restrictive security policies as your client applications develop the capability to negotiate PQ-TLS for key exchange operations. @@ -33 +27 @@ Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuratio - * You can restrict which security policies are available to users across your AWS accounts and AWS Organizations by using the [ Elastic Load Balancing condition keys](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html) in your IAM and service control policies (SCPs), respectively. For more information, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the _AWS Organizations User Guide_. + * You can restrict which security policies are available to users across your AWS accounts and AWS Organizations by using the [ ELB condition keys](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html) in your IAM and service control policies (SCPs), respectively. For more information, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the _AWS Organizations User Guide_. @@ -39 +33,35 @@ Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuratio - * Application Load Balancers support the Extended Master Secret (EMS) extension for TLS 1.2. + * Application Load Balancers do not support custom security policies. + + * Application Load Balancers support SSL renegotiation for target connections only. + + + + +###### Compatibility + + * All secure listeners attached to the same load balancer must use compatible security policies. To migrate all secure listeners for a load balancer to security policies that are not compatible with the ones that are currently in use, remove all but one of the secure listeners, change the security policy of the secure listener, and then create additional secure listeners. + + * FIPS post-quantum TLS policies and FIPS policies - **Compatible** + + * Post-quantum TLS policies and FIPS or FIPS post-quantum TLS polices - **Compatible** + + * TLS polices (non-FIPS, non-post-quantum) and FIPS or FIPS post-quantum TLS policies - **Not Compatible** + + * TLS polices (non-FIPS, non-post-quantum) and post-quantum TLS policies - **Not Compatible** + + + + +###### Backend connections + + * You can choose the security policy that is used for front-end connections, but not backend connections. The security policy for backend connections depends on the listener security policy. If any of your listeners are using: + + * **FIPS post-quantum TLS policy** \- Backend connections use `ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09` + + * **FIPS policy** \- Backend connections use `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04` + + * **Post-quantum TLS policy** \- Backend connections use `ELBSecurityPolicy-TLS13-1-0-PQ-2025-09` + + * **TLS 1.3 policy** \- Backend connections use `ELBSecurityPolicy-TLS13-1-0-2021-06` + + * **Other TLS policy** \- Backend connections use `ELBSecurityPolicy-2016-08` @@ -132,0 +161 @@ ELBSecurityPolicy-TLS13-1-3-2021-06 | Yes | No | No | No +ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 | Yes | No | No | No @@ -133,0 +163 @@ ELBSecurityPolicy-TLS13-1-2-2021-06 | Yes | Yes | No | No +ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | Yes | Yes | No | No @@ -134,0 +165 @@ ELBSecurityPolicy-TLS13-1-2-Res-2021-06 | Yes | Yes | No | No +ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 | Yes | Yes | No | No @@ -135,0 +167 @@ ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 | Yes | Yes | No | No +ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 | Yes | Yes | No | No @@ -136,0 +169 @@ ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 | Yes | Yes | No | No +ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 | Yes | Yes | No | No @@ -138,0 +172 @@ ELBSecurityPolicy-TLS13-1-0-2021-06 | Yes | Yes | Yes | Yes +ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 | Yes | Yes | Yes | Yes @@ -150 +184 @@ Security policy | Ciphers -ELBSecurityPolicy-TLS13-1-3-2021-06 | +ELBSecurityPolicy-TLS13-1-3-2021-06 ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 | @@ -157 +191 @@ ELBSecurityPolicy-TLS13-1-3-2021-06 | -ELBSecurityPolicy-TLS13-1-2-2021-06 | +ELBSecurityPolicy-TLS13-1-2-2021-06 ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | @@ -172 +206 @@ ELBSecurityPolicy-TLS13-1-2-2021-06 | -ELBSecurityPolicy-TLS13-1-2-Res-2021-06 | +ELBSecurityPolicy-TLS13-1-2-Res-2021-06 ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 | @@ -183 +217 @@ ELBSecurityPolicy-TLS13-1-2-Res-2021-06 | -ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 | +ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 | @@ -208 +242 @@ ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 | -ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 | +ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 | @@ -252 +286 @@ ELBSecurityPolicy-TLS13-1-1-2021-06 | -ELBSecurityPolicy-TLS13-1-0-2021-06 | +ELBSecurityPolicy-TLS13-1-0-2021-06 ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 | @@ -368,0 +403 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 @@ -369,0 +405 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 @@ -370,0 +407 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 @@ -371,0 +409 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -372,0 +411 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 @@ -374,0 +414 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -379,0 +420 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 @@ -380,0 +422 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 @@ -381,0 +424 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 @@ -382,0 +426 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -383,0 +428 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 @@ -385,0 +431 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -390,0 +437 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 @@ -391,0 +439 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 @@ -392,0 +441 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 @@ -393,0 +443 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -394,0 +445 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 @@ -396,0 +448 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -401,0 +454 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 @@ -402,0 +456 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 @@ -403,0 +458 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -404,0 +460 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 @@ -406,0 +463 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -415,0 +473 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 @@ -416,0 +475 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 @@ -417,0 +477 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -418,0 +479 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 @@ -420,0 +482 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -429,0 +492 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 @@ -430,0 +494 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -431,0 +496 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 @@ -433,0 +499 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -442,0 +509 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 @@ -443,0 +511 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -444,0 +513 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 @@ -446,0 +516 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -455,0 +526 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -457,0 +529 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -465,0 +538 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -467,0 +541 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -475,0 +550 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 @@ -476,0 +552 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 @@ -477,0 +554 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -478,0 +556 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 @@ -480,0 +559 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -489,0 +569 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 @@ -490,0 +571 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 @@ -491,0 +573 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 @@ -492,0 +575 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 @@ -494,0 +578 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 @@ -503,0 +588 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 @@ -504,0 +590 @@ Cipher name | Security policies | Cipher suite + * ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09