Predefined SSL security policies for Classic Load Balancers - Elastic Load Balancing
Protocols by policyCiphers by policyPolicies by cipher

Predefined SSL security policies for Classic Load Balancers

You can choose one of the predefined security policies for your HTTPS/SSL listeners. You can use one of the ELBSecurityPolicy-TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions. Alternatively, you can create a custom security policy. For more information, see Update the SSL negotiation configuration.

The RSA- and DSA-based ciphers are specific to the signing algorithm used to create SSL certificate. Make sure to create an SSL certificate using the signing algorithm that is based on the ciphers that are enabled for your security policy.

If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified here to negotiate connections between the client and load balancer. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client.

The following sections describe the most recent predefined security policies for Classic Load Balancers, including their enabled SSL protocols and SSL ciphers. You can also describe the predefined policies using the describe-load-balancer-policies command.

Tip

This information applies only to Classic Load Balancers. For information that applies to other load balancers, see Security policies for your Application Load Balancer and Security policies for your Network Load Balancer.

Protocols by policy

The following table describes the TLS protocols that each security policy supports.

Security policies TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-TLS-1-2-2017-01 Yes No No
ELBSecurityPolicy-TLS-1-1-2017-01 Yes Yes No
ELBSecurityPolicy-2016-08 Yes Yes Yes
ELBSecurityPolicy-2015-05 Yes Yes Yes
ELBSecurityPolicy-2015-03 Yes Yes Yes
ELBSecurityPolicy-2015-02 Yes Yes Yes

Ciphers by policy

The following table describes the ciphers that each security policy supports.

Security policy Ciphers
ELBSecurityPolicy-TLS-1-2-2017-01

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS-1-1-2017-01

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-2016-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-2015-05

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DES-CBC3-SHA
ELBSecurityPolicy-2015-03

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DHE-RSA-AES128-SHA

  • DHE-DSS-AES128-SHA

  • DES-CBC3-SHA
ELBSecurityPolicy-2015-02

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DHE-RSA-AES128-SHA

  • DHE-DSS-AES128-SHA

Policies by cipher

The following table describes the security policies that support each cipher.

Cipher name Security policies Cipher suite

OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02b

OpenSSL – ECDHE-RSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02f

OpenSSL – ECDHE-ECDSA-AES128-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c023

OpenSSL – ECDHE-RSA-AES128-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c027

OpenSSL – ECDHE-ECDSA-AES128-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c009

OpenSSL – ECDHE-RSA-AES128-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c013

OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02c

OpenSSL – ECDHE-RSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c030

OpenSSL – ECDHE-ECDSA-AES256-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c024

OpenSSL – ECDHE-RSA-AES256-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c028

OpenSSL – ECDHE-ECDSA-AES256-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c014

OpenSSL – ECDHE-RSA-AES256-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c00a

OpenSSL – AES128-GCM-SHA256

IANA – TLS_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

9c

OpenSSL – AES128-SHA256

IANA – TLS_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

3c

OpenSSL – AES128-SHA

IANA – TLS_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

2f

OpenSSL – AES256-GCM-SHA384

IANA – TLS_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

9d

OpenSSL – AES256-SHA256

IANA – TLS_RSA_WITH_AES_256_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

3d

OpenSSL – AES256-SHA

IANA – TLS_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

35

OpenSSL – DHE-RSA-AES128-SHA

IANA – TLS_DHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

33

OpenSSL – DHE-DSS-AES128-SHA

IANA – TLS_DHE_DSS_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

32

OpenSSL – DES-CBC3-SHA

IANA – TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

0a