Menu
Elastic Load Balancing
Classic Load Balancers

Predefined SSL Security Policies for Elastic Load Balancing

We recommend that you always use the current predefined security policy. For more information about updating the SSL negotiation configuration for your HTTPS/SSL listener, see Update the SSL Negotiation Configuration of Your Classic Load Balancer.

The RSA- and DSA-based ciphers are specific to the signing algorithm used to create SSL certificate. Make sure to create an SSL certificate using the signing algorithm that is based on the ciphers that are enabled for your security policy.

The following table describes the most recent predefined security policies, including their enabled SSL protocols and SSL ciphers. If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified in this table to negotiate connections between the client and load balancer. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client.

To describe all predefined policies, including the deprecated ones, use the describe-load-balancer-policies command or the DescribeLoadBalancerPolicies action.

Security Policy2016-082015-052015-032015-022014-102014-012011-08
SSL Protocols

Protocol-SSLv3

     

Protocol-TLSv1

Protocol-TLSv1.1

 

Protocol-TLSv1.2

 
SSL Options

Server Order Preference

 
SSL Ciphers

ECDHE-ECDSA-AES128-GCM-SHA256

 

ECDHE-RSA-AES128-GCM-SHA256

 

ECDHE-ECDSA-AES128-SHA256

 

ECDHE-RSA-AES128-SHA256

 

ECDHE-ECDSA-AES128-SHA

 
ECDHE-RSA-AES128-SHA 
DHE-RSA-AES128-SHA  
ECDHE-ECDSA-AES256-GCM-SHA384 
ECDHE-RSA-AES256-GCM-SHA384 
ECDHE-ECDSA-AES256-SHA384 
ECDHE-RSA-AES256-SHA384 
ECDHE-RSA-AES256-SHA 
ECDHE-ECDSA-AES256-SHA 
AES128-GCM-SHA256 
AES128-SHA256 
AES128-SHA
AES256-GCM-SHA384 
AES256-SHA256 
AES256-SHA
DHE-DSS-AES128-SHA  
CAMELLIA128-SHA      
EDH-RSA-DES-CBC3-SHA      
DES-CBC3-SHA    
ECDHE-RSA-RC4-SHA     
RC4-SHA    
ECDHE-ECDSA-RC4-SHA       
DHE-DSS-AES256-GCM-SHA384       
DHE-RSA-AES256-GCM-SHA384       
DHE-RSA-AES256-SHA256       
DHE-DSS-AES256-SHA256       
DHE-RSA-AES256-SHA      
DHE-DSS-AES256-SHA      
DHE-RSA-CAMELLIA256-SHA      
DHE-DSS-CAMELLIA256-SHA      
CAMELLIA256-SHA      
EDH-DSS-DES-CBC3-SHA      
DHE-DSS-AES128-GCM-SHA256       
DHE-RSA-AES128-GCM-SHA256       
DHE-RSA-AES128-SHA256       
DHE-DSS-AES128-SHA256       
DHE-RSA-CAMELLIA128-SHA      
DHE-DSS-CAMELLIA128-SHA      
ADH-AES128-GCM-SHA256       
ADH-AES128-SHA       
ADH-AES128-SHA256       
ADH-AES256-GCM-SHA384       
ADH-AES256-SHA       
ADH-AES256-SHA256       
ADH-CAMELLIA128-SHA       
ADH-CAMELLIA256-SHA       
ADH-DES-CBC3-SHA       
ADH-DES-CBC-SHA       
ADH-RC4-MD5       
ADH-SEED-SHA       
DES-CBC-SHA       
DHE-DSS-SEED-SHA       
DHE-RSA-SEED-SHA       
EDH-DSS-DES-CBC-SHA       
EDH-RSA-DES-CBC-SHA       
IDEA-CBC-SHA       
RC4-MD5       
SEED-SHA       
DES-CBC3-MD5       
DES-CBC-MD5       
Deprecated SSL Ciphers
RC2-CBC-MD5       
PSK-AES256-CBC-SHA       
PSK-3DES-EDE-CBC-SHA       
KRB5-DES-CBC3-SHA       
KRB5-DES-CBC3-MD5       
PSK-AES128-CBC-SHA       
PSK-RC4-SHA       
KRB5-RC4-SHA       
KRB5-RC4-MD5       
KRB5-DES-CBC-SHA       
KRB5-DES-CBC-MD5       
EXP-EDH-RSA-DES-CBC-SHA       
EXP-EDH-DSS-DES-CBC-SHA       
EXP-ADH-DES-CBC-SHA       
EXP-DES-CBC-SHA       
EXP-RC2-CBC-MD5       
EXP-KRB5-RC2-CBC-SHA       
EXP-KRB5-DES-CBC-SHA       
EXP-KRB5-RC2-CBC-MD5       
EXP-KRB5-DES-CBC-MD5       
EXP-ADH-RC4-MD5       
EXP-RC4-MD5       
EXP-KRB5-RC4-SHA       
EXP-KRB5-RC4-MD5       

Deprecated SSL Ciphers: If you had previously enabled these ciphers in a custom policy or ELBSample-OpenSSLDefaultCipherPolicy, we recommend that you update your security policy to the current predefined security policy.

Deprecated SSL Protocol: If you had previously enabled the SSLv2 protocol in a custom policy, we recommend that you update your security policy to the current predefined security policy.