Application Load Balancer and Network Load Balancer Add New Security Policies for Forward Secrecy with More Stringent Protocols and Ciphers

Posted on: Oct 8, 2019

Application Load Balancers and Network Load Balancers now support three new security policies for forward secrecy: ELBSecurityPolicy-FS-1-2-2019-08, ELBSecurityPolicy-FS-1-1-2019-08 and ELBSecurityPolicy-FS-1-2-Res-2019-08.

ELBSecurityPolicy-FS-1-2-2019-08 gives customers the option of only using the TLS 1.2 protocol with the same set of ciphers as available with ELBSecurityPolicy-FS-2018-06. The ciphers in this policy ensure Forward Secrecy, preventing out-of-band decryption if someone records the traffic and later compromises the server’s private key. Additionally, ELBSecurityPolicy-FS-1-1-2019-08 is available for customers wanting to use a more permissible Forward Secrecy policy supporting both 1.1 and 1.2 clients.

ELBSecurityPolicy-FS-1-2-Res-2019-08 is the most restrictive policy available till date, helping customers achieve any stringent security requirements. This policy supports TLS 1.2 only and includes only ECDHE (PFS) and SHA256 or stronger (384) ciphers.  

ELBSecurityPolicy-FS-1-2-2019-08, ELBSecurityPolicy-FS-1-1-2019-08 and ELBSecurityPolicy-FS-1-2-Res-2019-08 are available today for all existing and new Application Load Balancers or Network Load Balancers in all AWS public regions. Learn more about the different policies available for Application Load Balancer here and Network Load Balancer here.