enum SslPolicy
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.ElasticLoadBalancingV2.SslPolicy |
 Java | software.amazon.awscdk.services.elasticloadbalancingv2.SslPolicy |
 Python | aws_cdk.aws_elasticloadbalancingv2.SslPolicy |
 TypeScript (source) | @aws-cdk/aws-elasticloadbalancingv2 » SslPolicy |
Elastic Load Balancing provides the following security policies for Application Load Balancers.
We recommend the Recommended policy for general use. You can use the ForwardSecrecy policy if you require Forward Secrecy (FS).
You can use one of the TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.
See also: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
Example
import { HostedZone } from '@aws-cdk/aws-route53';
import { Certificate } from '@aws-cdk/aws-certificatemanager';
import { SslPolicy } from '@aws-cdk/aws-elasticloadbalancingv2';
const domainZone = HostedZone.fromLookup(this, 'Zone', { domainName: 'example.com' });
const certificate = Certificate.fromCertificateArn(this, 'Cert', 'arn:aws:acm:us-east-1:123456:certificate/abcdefg');
declare const vpc: ec2.Vpc;
declare const cluster: ecs.Cluster;
const loadBalancedFargateService = new ecsPatterns.ApplicationLoadBalancedFargateService(this, 'Service', {
vpc,
cluster,
certificate,
sslPolicy: SslPolicy.RECOMMENDED,
domainName: 'api.example.com',
domainZone,
redirectHTTP: true,
taskImageOptions: {
image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
},
});
Members
| Name | Description |
|---|---|
| RECOMMENDED | The recommended security policy. |
| FORWARD_SECRECY_TLS12_RES_GCM | Strong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers. |
| FORWARD_SECRECY_TLS12_RES | Strong forward secrecy ciphers and TLS1.2 only. |
| FORWARD_SECRECY_TLS12 | Forward secrecy ciphers and TLS1.2 only. |
| FORWARD_SECRECY_TLS11 | Forward secrecy ciphers only with TLS1.1 and higher. |
| FORWARD_SECRECY | Forward secrecy ciphers only. |
| TLS12 | TLS1.2 only and no SHA ciphers. |
| TLS12_EXT | TLS1.2 only with all ciphers. |
| TLS11 | TLS1.1 and higher with all ciphers. |
| LEGACY | Support for DES-CBC3-SHA. |
RECOMMENDED
The recommended security policy.
FORWARD_SECRECY_TLS12_RES_GCM
Strong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers.
FORWARD_SECRECY_TLS12_RES
Strong forward secrecy ciphers and TLS1.2 only.
FORWARD_SECRECY_TLS12
Forward secrecy ciphers and TLS1.2 only.
FORWARD_SECRECY_TLS11
Forward secrecy ciphers only with TLS1.1 and higher.
FORWARD_SECRECY
Forward secrecy ciphers only.
TLS12
TLS1.2 only and no SHA ciphers.
TLS12_EXT
TLS1.2 only with all ciphers.
TLS11
TLS1.1 and higher with all ciphers.
LEGACY
Support for DES-CBC3-SHA.
Do not use this security policy unless you must support a legacy client that requires the DES-CBC3-SHA cipher, which is a weak cipher.