Predefined SSL security policies for Classic Load Balancers

You can choose one of the predefined security policies for your HTTPS/SSL listeners. We recommend the default predefined security policy, ELBSecurityPolicy-2016-08, for compatibility. You can use one of the ELBSecurityPolicy-TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions. Alternatively, you can create a custom security policy. For more information, see Update the SSL negotiation configuration.

The RSA- and DSA-based ciphers are specific to the signing algorithm used to create SSL certificate. Make sure to create an SSL certificate using the signing algorithm that is based on the ciphers that are enabled for your security policy.

If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified here to negotiate connections between the client and load balancer. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client.

The following table describes the most recent predefined security policies for Classic Load Balancers, including their enabled SSL protocols, SSL ciphers, and the default policy, ELBSecurityPolicy-2016-08. The ELBSecurityPolicy- has been removed from policy names in the heading row so that they fit.

Tip

This table applies only to Classic Load Balancers. For information that applies to the other load balancers, see Security policies for Application Load Balancers and Security policies for Network Load Balancers.

SSL Security Policies for Classic Load Balancer

Predefined security policies

The following are the predefined security policies for Classic Load Balancers. To describe a predefined policy, use the describe-load-balancer-policies command.

ELBSecurityPolicy-2016-08
ELBSecurityPolicy-TLS-1-2-2017-01
ELBSecurityPolicy-TLS-1-1-2017-01
ELBSecurityPolicy-2015-05
ELBSecurityPolicy-2015-03
ELBSecurityPolicy-2015-02
ELBSecurityPolicy-2014-10
ELBSecurityPolicy-2014-01
ELBSecurityPolicy-2011-08
ELBSample-ELBDefaultNegotiationPolicy or ELBSample-ELBDefaultCipherPolicy
ELBSample-OpenSSLDefaultNegotiationPolicy or ELBSample-OpenSSLDefaultCipherPolicy

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

SSL negotiation configurations

Create an HTTPS load balancer