aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy

enum SslPolicy

LanguageType name
.NETAmazon.CDK.AWS.ElasticLoadBalancingV2.SslPolicy
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awselasticloadbalancingv2#SslPolicy
Javasoftware.amazon.awscdk.services.elasticloadbalancingv2.SslPolicy
Pythonaws_cdk.aws_elasticloadbalancingv2.SslPolicy
TypeScript (source)aws-cdk-lib » aws_elasticloadbalancingv2 » SslPolicy

Elastic Load Balancing provides the following security policies for Application Load Balancers.

We recommend the Recommended policy for general use. You can use the ForwardSecrecy policy if you require Forward Secrecy (FS).

You can use one of the TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.

See also: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

Example

import { Certificate } from 'aws-cdk-lib/aws-certificatemanager';
import { InstanceType } from 'aws-cdk-lib/aws-ec2';
import { Cluster, ContainerImage } from 'aws-cdk-lib/aws-ecs';
import { ApplicationProtocol, SslPolicy } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
import { PublicHostedZone } from 'aws-cdk-lib/aws-route53';
const vpc = new ec2.Vpc(this, 'Vpc', { maxAzs: 1 });
const loadBalancedFargateService = new ecsPatterns.ApplicationMultipleTargetGroupsFargateService(this, 'myService', {
  cluster: new ecs.Cluster(this, 'EcsCluster', { vpc }),
  memoryLimitMiB: 256,
  taskImageOptions: {
    image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
  },
  enableExecuteCommand: true,
  loadBalancers: [
    {
      name: 'lb',
      idleTimeout: Duration.seconds(400),
      domainName: 'api.example.com',
      domainZone: new PublicHostedZone(this, 'HostedZone', { zoneName: 'example.com' }),
      listeners: [
        {
          name: 'listener',
          protocol: ApplicationProtocol.HTTPS,
          certificate: Certificate.fromCertificateArn(this, 'Cert', 'helloworld'),
          sslPolicy: SslPolicy.TLS12_EXT,
        },
      ],
    },
    {
      name: 'lb2',
      idleTimeout: Duration.seconds(120),
      domainName: 'frontend.com',
      domainZone: new PublicHostedZone(this, 'HostedZone', { zoneName: 'frontend.com' }),
      listeners: [
        {
          name: 'listener2',
          protocol: ApplicationProtocol.HTTPS,
          certificate: Certificate.fromCertificateArn(this, 'Cert2', 'helloworld'),
          sslPolicy: SslPolicy.TLS12_EXT,
        },
      ],
    },
  ],
  targetGroups: [
    {
      containerPort: 80,
      listener: 'listener',
    },
    {
      containerPort: 90,
      pathPattern: 'a/b/c',
      priority: 10,
      listener: 'listener',
    },
    {
      containerPort: 443,
      listener: 'listener2',
    },
    {
      containerPort: 80,
      pathPattern: 'a/b/c',
      priority: 10,
      listener: 'listener2',
    },
  ],
});

Members

NameDescription
RECOMMENDED_TLSThe recommended security policy for TLS listeners.
RECOMMENDEDThe recommended policy for http listeners.
TLS13_RESTLS1.2 and 1.3.
TLS13_EXT1TLS1.2 and 1.3 and no SHA ciphers.
TLS13_EXT2TLS1.2 and 1.3 with all ciphers.
TLS13_10TLS1.0 through 1.3 with all ciphers.
TLS13_11TLS1.1 through 1.3 with all ciphers.
TLS13_13TLS1.3 only.
FORWARD_SECRECY_TLS12_RES_GCMStrong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers.
FORWARD_SECRECY_TLS12_RESStrong forward secrecy ciphers and TLS1.2 only.
FORWARD_SECRECY_TLS12Forward secrecy ciphers and TLS1.2 only.
FORWARD_SECRECY_TLS11Forward secrecy ciphers only with TLS1.1 and 1.2.
FORWARD_SECRECYForward secrecy ciphers only.
TLS12TLS1.2 only and no SHA ciphers.
TLS12_EXTTLS1.2 only with all ciphers.
TLS11TLS1.1 and 1.2 with all ciphers.
LEGACYSupport for DES-CBC3-SHA.

RECOMMENDED_TLS

The recommended security policy for TLS listeners.

This is the default policy for listeners created using the AWS Management Console


RECOMMENDED

The recommended policy for http listeners.

This is the default security policy for listeners created using the AWS CLI


TLS13_RES

TLS1.2 and 1.3.


TLS13_EXT1

TLS1.2 and 1.3 and no SHA ciphers.


TLS13_EXT2

TLS1.2 and 1.3 with all ciphers.


TLS13_10

TLS1.0 through 1.3 with all ciphers.


TLS13_11

TLS1.1 through 1.3 with all ciphers.


TLS13_13

TLS1.3 only.


FORWARD_SECRECY_TLS12_RES_GCM

Strong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers.


FORWARD_SECRECY_TLS12_RES

Strong forward secrecy ciphers and TLS1.2 only.


FORWARD_SECRECY_TLS12

Forward secrecy ciphers and TLS1.2 only.


FORWARD_SECRECY_TLS11

Forward secrecy ciphers only with TLS1.1 and 1.2.


FORWARD_SECRECY

Forward secrecy ciphers only.


TLS12

TLS1.2 only and no SHA ciphers.


TLS12_EXT

TLS1.2 only with all ciphers.


TLS11

TLS1.1 and 1.2 with all ciphers.


LEGACY

Support for DES-CBC3-SHA.

Do not use this security policy unless you must support a legacy client that requires the DES-CBC3-SHA cipher, which is a weak cipher.