Configure TLS security policies on your Amazon Lightsail load balancer - Amazon Lightsail

Configure TLS security policies on your Amazon Lightsail load balancer

After you enable HTTPS on your Amazon Lightsail load balancer, you can configure a TLS security policy for the encrypted connections. This guide provides information about the security policies that you can configure on Lightsail load balancers, and the procedures for updating your load balancer's security policy. For more information about load balancers, see Load balancers.

Contents

Security policies overview

Lightsail load balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection. Lightsail load balancers do not support SSL renegotiation for client or target connections.

The TLS-2016-08 security policy is configured by default when you enable HTTPS on a Lightsail load balancer. You can configure a different security policy as needed, as described later in this guide. You can choose the security policy that is used for only for front-end connections. The TLS-2016-08 security policy is always used for backend connections. Lightsail load balancers do not support custom security policies.

Supported security policies and protocols

Lightsail load balancers can be configured with the following security policies and protocols:


                Supported TLS security policies

Complete the prerequisites

Complete the following prerequisites if you haven't already:

Configure a security policy using the Lightsail console

Complete the following procedure to configure a security policy using the Lightsail console.

  1. Sign in to the Lightsail console.

  2. On the Lightsail home page, choose the Networking tab.

  3. Choose the name of the load balancer for which you want to configure a TLS security policy.

  4. Choose the Inbound traffic tab.

  5. Choose Change protocols under the TLS security protocols section of the page.

  6. Select one of the following options in the Supported protocols dropdown menu:

    • TLS version 1.2 — This option is the most secure but older browsers might be unable to connect.

    • TLS version 1.0, 1.1, and 1.2 — This option offers the most compatibility with browsers.

  7. Choose Save to apply the selected protocol to your load balancer.

    Your change takes a few moments to become effective.

Configure a security policy using the AWS CLI

Complete the following procedure to configure a security policy using the AWS Command Line Interface (AWS CLI). You do this by using the update-load-balancer-attribute command. For more information, see update-load-balancer-attribute in the AWS CLI Command Reference.

Note

You must install the AWS CLI and configure it for Lightsail before continuing with this procedure. For more information, see Configure the AWS CLI to work with Lightsail.

  1. Open a Command Prompt or Terminal window.

  2. Enter the following command to change the TLS security policy for your load balancer.

    aws lightsail update-load-balancer-attribute --load-balancer-name LoadBalancerName --attribute-name TlsPolicyName --attribute-value AttributeValue

    In the command, replace the following example text with your own:

    • LoadBalancerName with the name of the load balancer for which you want to change the TLS security policy.

    • AttributeValue with the TLS-2016-08 or TLS-FS-1-2-Res-2019-08 security policy.

      Note

      The TlsPolicyName attribute in the command specifies that you wish to edit the TLS security policy that is configured on the load balancer.

    Example:

    aws lightsail update-load-balancer-attribute --load-balancer-name MyLoadBalancer --attribute-name TlsPolicyName --attribute-value TLS-2016-08

    Your change takes a few moments to become effective.