Upgrade TLS to the latest secure version in Application Load balancers


Hello, We have application load balancers that are currently using security policy ELBSecurityPolicy-2016-08 How do I make sure I use the right secure policy for the latest version? I have this table in AWS https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html showing different version but I am not sure what latest secure version to use as it is a bit confusing for me.

Many thanks in advance.

asked 12 days ago28 views
2 Answers

It all depends on what your security posture is with TLS versions and Encryption Ciphers. You can test your ALB using this website which will give you a score based on your current configuration https://www.ssllabs.com/ssltest/

NOTE: Tick Do not show on public boards

The Higher the TLS the more secure. 1.2 and 1.3 are the main standards today. A lot of those Ciphers are now weak and are seen as bad.

Personally I would be looking at ELBSecurityPolicy-FS-1-2-Res-2020-10 or ELBSecurityPolicy-TLS-1-2-2017-01 if you don’t need forward secrecy.

When you force a higher TLS and remove supported Ciphers, watch out for OLD Browsers/Operating systems and Applications that have not been upgraded to support the newer ciphers etc. Its unlikely today but they would experience TLS Issues when connecting and will fail if they do not support the increased TLS Settings.

Use that SSL Labs to check the results after changing but I personally would go for ELBSecurityPolicy-FS-1-2-Res-2020-10 if you NEED FS or the TLS-1-2-2017-01 if not. You can also check here for details on ciphers.. https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384/

Hope this helps

profile picture
answered 12 days ago
  • Hi Gary, thank you very much for the detailed information. This looks really good to me.

  • Any other questions, fire away... Be sure to accept the answer if satisfactory to help others and me.. Thanks


I have upgraded TLS to the latest version ELBSecurityPolicy-FS-1-2-Res-2020-10 on AWS ALBs but not sure how to test the new version to ensure it has no impact from the clients?

answered 10 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions