When you configure an HTTPS listener for an Application Load Balancer (ALB), a TLS security policy specifies the supported TLS protocol versions and cipher suites for negotiation with clients. ALB offers several common predefined policies. For specific security requirements, you can use a custom policy.
How it works
An ALB uses a TLS security policy to define the supported tls protocol versions and cipher suites for tls negotiation. During the handshake process, the client sends a Client Hello message listing the tls protocol versions and cipher suites it supports. The ALB evaluates this list against the policy, selects a mutually supported combination, and responds with a Server Hello. The selected combination then determines the method for the key exchange and session key generation.
Default policies
Security and compliance standards may require specific TLS security policies for ALB. Expand the table below to view the TLS versions and cipher suites supported by each default policy and select one that meets your needs. If the default policies do not meet your requirements, you can create a custom policy.
-
The
tls_cipher_policy_1_0_to_1_3policy is supported only by ALB Extensible Edition instances. -
For internet-facing applications without special compatibility requirements, we recommend the
tls_cipher_policy_1_2policy or a stricter one.
Console
Go to the TLS Security Policies page in the ALB console. The Default Policy tab displays the details of each policy.
API
Call the ListSystemSecurityPolicies operation to query the default policies.
Custom policies
Custom policies are supported only by Standard and WAF-enabled ALB instances, not by Basic or Extensible Edition instances.
Create a custom policy
Console
-
Go to the TLS Security Policies page in the ALB Console and select the region where your ALB instance is deployed.
-
Click Create Custom Policy, configure the following parameters, and then click Create.
-
Minimum Version: To ensure security, we recommend selecting TLS 1.2 or Later unless your application has specific compatibility requirements.
-
Enable TLS 1.3: To ensure network security and efficiency, we recommend enabling this option if it is compatible with your application.
-
Cipher Suite: The selected cipher suites must be compatible with the TLS protocol version.
-
-
After you create the policy, you can select it when you configure a TLS security policy for a listener.
API
Call CreateSecurityPolicy to create a custom policy. Note that the custom policy must be in the same region as the ALB instance.
To use an SM algorithm certificate for HTTPS encryption, select the SM algorithm cipher suite (ECC-SM2-WITH-SM4-SM3) when you create a custom policy. For more information, see Configure SM-based HTTPS on ALB for secure communication.
Update TLS protocols and cipher suites
Console
-
Go to the TLS Security Policies page in the ALB Console and select the region of the custom policy.
-
Find the target custom policy, click Modify in the Actions column, and then update the TLS protocol versions and cipher suites in the Modify TLS Security Policy dialog box.
API
Call UpdateSecurityPolicyAttribute to update the attributes of a custom policy.
Copy a custom policy to another region
Console
-
Go to the TLS Security Policies page in the ALB Console and select the region of the custom policy.
-
Find the target custom policy, click Replicate to Other Regions in the Actions column, select the destination region, and then click OK.
API
Call ListSecurityPolicies to obtain the TLSVersions and Ciphers parameters of the source custom policy. Then, call CreateSecurityPolicy and pass these parameter values to create a new policy in the destination region.
Delete a custom policy
To delete a custom policy that is associated with a listener, you must first change the listener's TLS security policy or delete the listener.
Console
-
Go to the TLS Security Policies page in the ALB Console and select the region of the custom policy.
-
Find the target custom policy, click Delete in the Actions column, and then click OK.
API
Call DeleteSecurityPolicy to delete a custom policy.
Configure a listener TLS security policy
ALB Extensible Edition instances support only the default policy tls_cipher_policy_1_0_to_1_3.
Console
-
When you create an HTTPS listener, select a TLS Security Policy on the Configure SSL Certificate tab. When you quickly create an HTTPS listener, select a TLS Security Policy in the Quick Create Listener dialog box.
-
To modify a TLS security policy, go to the Listener tab on the instance details page and click the ID of the target HTTPS listener. On the Listener Details, modify the TLS Security Policy in the SSL Certificate area.
API
When you call CreateListener or UpdateListenerAttribute, set the SecurityPolicyId parameter to the ID of the TLS security policy.
-
Call ListSystemSecurityPolicies to query the
SecurityPolicyIdof a default policy. -
Call ListSecurityPolicies to query the
SecurityPolicyIdof a custom policy.
Billing
TLS security policies are free of charge, but you are subject to billing for the ALB instance itself.
Production environment
-
Backend traffic security: For end-to-end security, deploy your ALB instance and backend servers in the same VPC and use security groups to strictly control access.
-
TLS protocol version: If your application has no special compatibility requirements, use TLS 1.2 and TLS 1.3.
-
Rollback: If you encounter issues after modifying a TLS security policy, you can immediately roll back the changes by modifying the listener configuration. Perform these changes during off-peak hours.
-
Key exchange algorithm: If your application has no special compatibility requirements, avoid using the following RSA key exchange cipher suites in a production environment:
AES128-GCM-SHA256,AES256-GCM-SHA384,AES128-SHA256,AES256-SHA256,AES128-SHA,AES256-SHA, andDES-CBC3-SHA. These cipher suites do not support forward secrecy (PFS) and are vulnerable to side-channel attacks. Prioritize cipher suites that use ECDHE or DHE.
Troubleshooting "not secure" warnings
After configuring a high-level TLS security policy, such as tls_cipher_policy_1_2_strict_with_1_3, a client's browser might still display a "Not Secure" or "Insecure Connection" warning when accessing your site. Investigate the following potential causes.
-
The client or browser is incompatible with the selected TLS version: Some older browsers or operating systems do not support TLS 1.2 or later. This incompatibility causes the handshake to fail and triggers a security warning. To rule out client compatibility issues, test with the latest version of a mainstream browser like Chrome or Firefox. Support for TLS 1.3 can vary across Safari versions on macOS; switch to Chrome to verify the connection.
-
The certificate is expired or the domain name does not match: A TLS security policy controls only the negotiation of protocol versions and cipher suites; it does not affect the certificate's validity. If the certificate is expired or the domain name on the certificate does not match the domain name you are accessing, the browser will also display a security warning. Check that the certificate bound to the ALB listener is valid and that its CN or SAN field covers the domain name being accessed.
-
The client has cached old TLS connection information: A browser might cache session information from a previous connection that used an older TLS protocol, causing the old security status to be displayed temporarily. To verify the new configuration, clear your browser's cache and SSL state and then reload the page, or open the page in incognito mode.
-
Use an online tool to verify the actual negotiation result: Use an online tool like SSL Labs (
https://www.ssllabs.com/ssltest/) to scan your site's domain name. You can then view the actual TLS protocol versions, cipher suites, and certificate chain that ALB supports and confirm that the policy has been applied correctly.
TLS cipher suite mapping
The following table maps cipher suites across the OpenSSL format, the IANA standard format, and hexadecimal notation.