Menu
Elastic Load Balancing
Developer Guide

Predefined SSL Security Policies for Elastic Load Balancing

We recommend that you always use the current predefined security policy. For more information about updating the SSL negotiation configuration for your HTTPS/SSL listener, see Update the SSL Negotiation Configuration of Your Load Balancer.

The RSA- and DSA-based ciphers are specific to the signing algorithm used to create SSL certificate. Make sure to create an SSL certificate using the signing algorithm that is based on the ciphers that are enabled for your security policy.

The following table describes the most recent predefined security policies, including their enabled SSL protocols and SSL ciphers. If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified in this table to negotiate connections between the client and load balancer. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client.

To describe all predefined policies, including the deprecated ones, use the describe-load-balancer-policies command or the DescribeLoadBalancerPolicies action.

Security Policy2015-052015-032015-022014-102014-012011-08
SSL Protocols

Protocol-SSLv3

    

Protocol-TLSv1

Protocol-TLSv1.1

 

Protocol-TLSv1.2

 
SSL Options

Server Order Preference

 
SSL Ciphers

ECDHE-ECDSA-AES128-GCM-SHA256

 

ECDHE-RSA-AES128-GCM-SHA256

 

ECDHE-ECDSA-AES128-SHA256

 

ECDHE-RSA-AES128-SHA256

 

ECDHE-ECDSA-AES128-SHA

 
ECDHE-RSA-AES128-SHA 
DHE-RSA-AES128-SHA 
ECDHE-ECDSA-AES256-GCM-SHA384 
ECDHE-RSA-AES256-GCM-SHA384 
ECDHE-ECDSA-AES256-SHA384 
ECDHE-RSA-AES256-SHA384 
ECDHE-RSA-AES256-SHA 
ECDHE-ECDSA-AES256-SHA 
AES128-GCM-SHA256 
AES128-SHA256 
AES128-SHA
AES256-GCM-SHA384 
AES256-SHA256 
AES256-SHA
DHE-DSS-AES128-SHA 
CAMELLIA128-SHA     
EDH-RSA-DES-CBC3-SHA     
DES-CBC3-SHA   
ECDHE-RSA-RC4-SHA    
RC4-SHA   
ECDHE-ECDSA-RC4-SHA      
DHE-DSS-AES256-GCM-SHA384      
DHE-RSA-AES256-GCM-SHA384      
DHE-RSA-AES256-SHA256      
DHE-DSS-AES256-SHA256      
DHE-RSA-AES256-SHA     
DHE-DSS-AES256-SHA     
DHE-RSA-CAMELLIA256-SHA     
DHE-DSS-CAMELLIA256-SHA     
CAMELLIA256-SHA     
EDH-DSS-DES-CBC3-SHA     
DHE-DSS-AES128-GCM-SHA256      
DHE-RSA-AES128-GCM-SHA256      
DHE-RSA-AES128-SHA256      
DHE-DSS-AES128-SHA256      
DHE-RSA-CAMELLIA128-SHA     
DHE-DSS-CAMELLIA128-SHA     
ADH-AES128-GCM-SHA256      
ADH-AES128-SHA      
ADH-AES128-SHA256      
ADH-AES256-GCM-SHA384      
ADH-AES256-SHA      
ADH-AES256-SHA256      
ADH-CAMELLIA128-SHA      
ADH-CAMELLIA256-SHA      
ADH-DES-CBC3-SHA      
ADH-DES-CBC-SHA      
ADH-RC4-MD5      
ADH-SEED-SHA      
DES-CBC-SHA      
DHE-DSS-SEED-SHA      
DHE-RSA-SEED-SHA      
EDH-DSS-DES-CBC-SHA      
EDH-RSA-DES-CBC-SHA      
IDEA-CBC-SHA      
RC4-MD5      
SEED-SHA      
DES-CBC3-MD5      
DES-CBC-MD5      
Deprecated SSL Ciphers
RC2-CBC-MD5      
PSK-AES256-CBC-SHA      
PSK-3DES-EDE-CBC-SHA      
KRB5-DES-CBC3-SHA      
KRB5-DES-CBC3-MD5      
PSK-AES128-CBC-SHA      
PSK-RC4-SHA      
KRB5-RC4-SHA      
KRB5-RC4-MD5      
KRB5-DES-CBC-SHA      
KRB5-DES-CBC-MD5      
EXP-EDH-RSA-DES-CBC-SHA      
EXP-EDH-DSS-DES-CBC-SHA      
EXP-ADH-DES-CBC-SHA      
EXP-DES-CBC-SHA      
EXP-RC2-CBC-MD5      
EXP-KRB5-RC2-CBC-SHA      
EXP-KRB5-DES-CBC-SHA      
EXP-KRB5-RC2-CBC-MD5      
EXP-KRB5-DES-CBC-MD5      
EXP-ADH-RC4-MD5      
EXP-RC4-MD5      
EXP-KRB5-RC4-SHA      
EXP-KRB5-RC4-MD5      

Deprecated SSL Ciphers: If you had previously enabled these ciphers in a custom policy or ELBSample-OpenSSLDefaultCipherPolicy, we recommend that you update your security policy to the current predefined security policy.

Deprecated SSL Protocol: If you had previously enabled the SSLv2 protocol in a custom policy, we recommend that you update your security policy to the current predefined security policy.