Enum SslPolicy

Elastic Load Balancing provides the following security policies for Application Load Balancers.

Namespace: Amazon.CDK.AWS.ElasticLoadBalancingV2

Assembly: Amazon.CDK.Lib.dll

Syntax (csharp)

public enum SslPolicy

Syntax (vb)

Public Enum SslPolicy

Remarks

We recommend the Recommended policy for general use. You can use the ForwardSecrecy policy if you require Forward Secrecy (FS).

You can use one of the TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.

See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

ExampleMetadata: infused

Examples

using Amazon.CDK.AWS.CertificateManager;
             using Amazon.CDK.AWS.EC2;
             using Amazon.CDK.AWS.ECS;
             using Amazon.CDK.AWS.ElasticLoadBalancingV2;
             using Amazon.CDK.AWS.Route53;

             var vpc = new Vpc(this, "Vpc", new VpcProps { MaxAzs = 1 });
             var loadBalancedFargateService = new ApplicationMultipleTargetGroupsFargateService(this, "myService", new ApplicationMultipleTargetGroupsFargateServiceProps {
                 Cluster = new Cluster(this, "EcsCluster", new ClusterProps { Vpc = vpc }),
                 MemoryLimitMiB = 256,
                 TaskImageOptions = new ApplicationLoadBalancedTaskImageProps {
                     Image = ContainerImage.FromRegistry("amazon/amazon-ecs-sample")
                 },
                 EnableExecuteCommand = true,
                 LoadBalancers = new [] { new ApplicationLoadBalancerProps {
                     Name = "lb",
                     IdleTimeout = Duration.Seconds(400),
                     DomainName = "api.example.com",
                     DomainZone = new PublicHostedZone(this, "HostedZone", new PublicHostedZoneProps { ZoneName = "example.com" }),
                     Listeners = new [] { new ApplicationListenerProps {
                         Name = "listener",
                         Protocol = ApplicationProtocol.HTTPS,
                         Certificate = Certificate.FromCertificateArn(this, "Cert", "helloworld"),
                         SslPolicy = SslPolicy.TLS12_EXT
                     } }
                 }, new ApplicationLoadBalancerProps {
                     Name = "lb2",
                     IdleTimeout = Duration.Seconds(120),
                     DomainName = "frontend.com",
                     DomainZone = new PublicHostedZone(this, "HostedZone", new PublicHostedZoneProps { ZoneName = "frontend.com" }),
                     Listeners = new [] { new ApplicationListenerProps {
                         Name = "listener2",
                         Protocol = ApplicationProtocol.HTTPS,
                         Certificate = Certificate.FromCertificateArn(this, "Cert2", "helloworld"),
                         SslPolicy = SslPolicy.TLS12_EXT
                     } }
                 } },
                 TargetGroups = new [] { new ApplicationTargetProps {
                     ContainerPort = 80,
                     Listener = "listener"
                 }, new ApplicationTargetProps {
                     ContainerPort = 90,
                     PathPattern = "a/b/c",
                     Priority = 10,
                     Listener = "listener"
                 }, new ApplicationTargetProps {
                     ContainerPort = 443,
                     Listener = "listener2"
                 }, new ApplicationTargetProps {
                     ContainerPort = 80,
                     PathPattern = "a/b/c",
                     Priority = 10,
                     Listener = "listener2"
                 } }
             });

Synopsis

Fields

FIPS_TLS13_10	TLS1.0 through 1.3 with all ciphers.
FIPS_TLS13_10_PQ	TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_11	TLS1.1 through 1.3 with all ciphers.
FIPS_TLS13_12	TLS 1.2 and 1.3 with ECDHE SHA/GCM ciphers, excluding SHA1 ciphers.
FIPS_TLS13_12_EXT0	TLS 1.2 and 1.3 with all ECDHE ciphers.
FIPS_TLS13_12_EXT0_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_12_EXT1	TLS 1.2 and 1.3 with all AES and ECDHE ciphers excluding SHA1 ciphers.
FIPS_TLS13_12_EXT1_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_12_EXT2	TLS 1.2 and 1.3 with all ciphers.
FIPS_TLS13_12_EXT2_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_12_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_12_RES	TLS 1.2 and 1.3 with AES and ECDHE GCM/SHA ciphers.
FIPS_TLS13_12_RES_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_13	TLS 1.3 only with AES 128 and 256 GCM SHA ciphers.
FIPS_TLS13_13_PQ	TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM.
FORWARD_SECRECY	Forward secrecy ciphers only.
FORWARD_SECRECY_TLS11	Forward secrecy ciphers only with TLS1.1 and 1.2.
FORWARD_SECRECY_TLS12	Forward secrecy ciphers and TLS1.2 only.
FORWARD_SECRECY_TLS12_RES	Strong forward secrecy ciphers and TLS1.2 only.
FORWARD_SECRECY_TLS12_RES_GCM	Strong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers.
LEGACY	Support for DES-CBC3-SHA.
RECOMMENDED	The recommended policy for http listeners.
RECOMMENDED_TLS	The recommended security policy for TLS listeners. This is the default policy for listeners created using the AWS Management Console.
TLS11	TLS1.1 and 1.2 with all ciphers.
TLS12	TLS1.2 only and no SHA ciphers.
TLS12_EXT	TLS1.2 only with all ciphers.
TLS13_10	TLS1.0 through 1.3 with all ciphers.
TLS13_10_PQ	TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM.
TLS13_11	TLS1.1 through 1.3 with all ciphers.
TLS13_12_EXT1_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
TLS13_12_EXT2_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
TLS13_12_PQ	TLS 1.3 and 1.2 with post-quantum hybrid key exchange using ML-KEM.
TLS13_12_RES_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
TLS13_13	TLS1.3 only.
TLS13_13_PQ	TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM.
TLS13_EXT1	TLS1.2 and 1.3 and no SHA ciphers.
TLS13_EXT2	TLS1.2 and 1.3 with all ciphers.
TLS13_RES	TLS1.2 and 1.3.

Fields

Name	Description
FIPS_TLS13_10	TLS1.0 through 1.3 with all ciphers.
FIPS_TLS13_10_PQ	TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_11	TLS1.1 through 1.3 with all ciphers.
FIPS_TLS13_12	TLS 1.2 and 1.3 with ECDHE SHA/GCM ciphers, excluding SHA1 ciphers.
FIPS_TLS13_12_EXT0	TLS 1.2 and 1.3 with all ECDHE ciphers.
FIPS_TLS13_12_EXT0_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_12_EXT1	TLS 1.2 and 1.3 with all AES and ECDHE ciphers excluding SHA1 ciphers.
FIPS_TLS13_12_EXT1_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_12_EXT2	TLS 1.2 and 1.3 with all ciphers.
FIPS_TLS13_12_EXT2_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_12_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_12_RES	TLS 1.2 and 1.3 with AES and ECDHE GCM/SHA ciphers.
FIPS_TLS13_12_RES_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS_TLS13_13	TLS 1.3 only with AES 128 and 256 GCM SHA ciphers.
FIPS_TLS13_13_PQ	TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM.
FORWARD_SECRECY	Forward secrecy ciphers only.
FORWARD_SECRECY_TLS11	Forward secrecy ciphers only with TLS1.1 and 1.2.
FORWARD_SECRECY_TLS12	Forward secrecy ciphers and TLS1.2 only.
FORWARD_SECRECY_TLS12_RES	Strong forward secrecy ciphers and TLS1.2 only.
FORWARD_SECRECY_TLS12_RES_GCM	Strong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers.
LEGACY	Support for DES-CBC3-SHA.
RECOMMENDED	The recommended policy for http listeners.
RECOMMENDED_TLS	The recommended security policy for TLS listeners. This is the default policy for listeners created using the AWS Management Console.
TLS11	TLS1.1 and 1.2 with all ciphers.
TLS12	TLS1.2 only and no SHA ciphers.
TLS12_EXT	TLS1.2 only with all ciphers.
TLS13_10	TLS1.0 through 1.3 with all ciphers.
TLS13_10_PQ	TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM.
TLS13_11	TLS1.1 through 1.3 with all ciphers.
TLS13_12_EXT1_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
TLS13_12_EXT2_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
TLS13_12_PQ	TLS 1.3 and 1.2 with post-quantum hybrid key exchange using ML-KEM.
TLS13_12_RES_PQ	TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
TLS13_13	TLS1.3 only.
TLS13_13_PQ	TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM.
TLS13_EXT1	TLS1.2 and 1.3 and no SHA ciphers.
TLS13_EXT2	TLS1.2 and 1.3 with all ciphers.
TLS13_RES	TLS1.2 and 1.3.