Posted On: Nov 13, 2023

You can now use Elastic Load Balancing (ELB) service-specific condition keys in IAM policies to restrict configurations for Transport Layer Security (TLS) Policy and IP based access. This enhancement enforces users in your account follow standards you have put in place for load balancer configurations.

For TLS, you can restrict users to only use listeners supporting encryption with the elasticloadbalancing:ListenerProtocol condition key (e.g. use HTTPS/TLS only) and permit the use of desired TLS security policies only using elasticloadbalancing:SecurityPolicy condition key (e.g. TLS1.3 security policies only). These controls can ensure that your users comply with your organization’s requirements for encryption.

For IP based access controls, you can use elasticloadbalancing:Scheme or elasticloadbalancing:Subnet condition keys that only allow users to create internal load balancers, which will not be accessible from the internet. If you need additional flexibility, you can enable finer grained controls by configuring elasticloadbalancing:SecurityGroup condition key to restrict users to only use approved security groups that allow known IPs only.

All five condition keys are available for Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer (CLB). Gateway Load Balancer (GWLB) supports the condition key that enforces subnets only.

This launch is available in all commercial AWS Regions, including the AWS GovCloud (US) Regions. To learn more, please refer to ELB IAM documentation.