Module: AWSCDK::ElasticLoadBalancingv2::SSLPolicy
- Defined in:
- elastic_load_balancingv2/ssl_policy.rb
Overview
Elastic Load Balancing provides the following security policies for Application Load Balancers.
We recommend the Recommended policy for general use. You can use the ForwardSecrecy policy if you require Forward Secrecy (FS).
You can use one of the TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.
Constant Summary collapse
- RECOMMENDED_TLS =
Deprecated.Note:
Default:
The recommended security policy for TLS listeners. This is the default policy for listeners created using the AWS Management Console.
This policy includes TLS 1.3, and is backwards compatible with TLS 1.2
When feature flag
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "RECOMMENDED_TLS")
- TLS13_12_PQ =
Deprecated.Note:
Default:
TLS 1.3 and 1.2 with post-quantum hybrid key exchange using ML-KEM.
This uses the non-restricted variant (without -Res-) to maintain AES-CBC cipher support for TLS 1.2 clients, ensuring backward compatibility.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_12_PQ")
- RECOMMENDED =
Deprecated.Note:
Default:
The recommended policy for http listeners.
This is the default security policy for listeners created using the AWS CLI
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "RECOMMENDED")
- TLS13_RES =
Deprecated.Note:
Default:
TLS1.2 and 1.3.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_RES")
- TLS13_EXT1 =
Deprecated.Note:
Default:
TLS1.2 and 1.3 and no SHA ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_EXT1")
- TLS13_EXT2 =
Deprecated.Note:
Default:
TLS1.2 and 1.3 with all ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_EXT2")
- TLS13_10 =
Deprecated.Note:
Default:
TLS1.0 through 1.3 with all ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_10")
- TLS13_11 =
Deprecated.Note:
Default:
TLS1.1 through 1.3 with all ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_11")
- TLS13_13 =
Deprecated.Note:
Default:
TLS1.3 only.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_13")
- TLS13_13_PQ =
Deprecated.Note:
Default:
TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_13_PQ")
- TLS13_12_RES_PQ =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
Restricted cipher suite for enhanced security with quantum resistance. Removes AES-CBC algorithms. AWS Console default policy for post-quantum cryptography.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_12_RES_PQ")
- TLS13_12_EXT1_PQ =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
Extended cipher suite 1 with quantum resistance.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_12_EXT1_PQ")
- TLS13_12_EXT2_PQ =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
Extended cipher suite 2 with quantum resistance.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_12_EXT2_PQ")
- TLS13_10_PQ =
Deprecated.Note:
Default:
TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS13_10_PQ")
- FIPS_TLS13_13 =
Deprecated.Note:
Default:
TLS 1.3 only with AES 128 and 256 GCM SHA ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_13")
- FIPS_TLS13_12_RES =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with AES and ECDHE GCM/SHA ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_12_RES")
- FIPS_TLS13_12 =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with ECDHE SHA/GCM ciphers, excluding SHA1 ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_12")
- FIPS_TLS13_12_EXT0 =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with all ECDHE ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_12_EXT0")
- FIPS_TLS13_12_EXT1 =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with all AES and ECDHE ciphers excluding SHA1 ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_12_EXT1")
- FIPS_TLS13_12_EXT2 =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with all ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_12_EXT2")
- FIPS_TLS13_11 =
Deprecated.Note:
Default:
TLS1.1 through 1.3 with all ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_11")
- FIPS_TLS13_10 =
Deprecated.Note:
Default:
TLS1.0 through 1.3 with all ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_10")
- FIPS_TLS13_13_PQ =
Deprecated.Note:
Default:
TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM.
FIPS-compliant with quantum resistance.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_13_PQ")
- FIPS_TLS13_12_PQ =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS-compliant with quantum resistance.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_12_PQ")
- FIPS_TLS13_12_RES_PQ =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
Restricted cipher suite for enhanced security with quantum resistance. FIPS-compliant. AWS recommended policy for post-quantum cryptography with FIPS.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_12_RES_PQ")
- FIPS_TLS13_12_EXT0_PQ =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
Extended cipher suite 0 with quantum resistance. FIPS-compliant.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_12_EXT0_PQ")
- FIPS_TLS13_12_EXT1_PQ =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
Extended cipher suite 1 with quantum resistance. FIPS-compliant.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_12_EXT1_PQ")
- FIPS_TLS13_12_EXT2_PQ =
Deprecated.Note:
Default:
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.
Extended cipher suite 2 with quantum resistance. FIPS-compliant.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_12_EXT2_PQ")
- FIPS_TLS13_10_PQ =
Deprecated.Note:
Default:
TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM.
FIPS-compliant with quantum resistance.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FIPS_TLS13_10_PQ")
- FORWARD_SECRECY_TLS12_RES_GCM =
Deprecated.Note:
Default:
Strong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FORWARD_SECRECY_TLS12_RES_GCM")
- FORWARD_SECRECY_TLS12_RES =
Deprecated.Note:
Default:
Strong forward secrecy ciphers and TLS1.2 only.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FORWARD_SECRECY_TLS12_RES")
- FORWARD_SECRECY_TLS12 =
Deprecated.Note:
Default:
Forward secrecy ciphers and TLS1.2 only.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FORWARD_SECRECY_TLS12")
- FORWARD_SECRECY_TLS11 =
Deprecated.Note:
Default:
Forward secrecy ciphers only with TLS1.1 and 1.2.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FORWARD_SECRECY_TLS11")
- FORWARD_SECRECY =
Deprecated.Note:
Default:
Forward secrecy ciphers only.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "FORWARD_SECRECY")
- TLS12 =
Deprecated.Note:
Default:
TLS1.2 only and no SHA ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS12")
- TLS12_EXT =
Deprecated.Note:
Default:
TLS1.2 only with all ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS12_EXT")
- TLS11 =
Deprecated.Note:
Default:
TLS1.1 and 1.2 with all ciphers.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "TLS11")
- LEGACY =
Deprecated.Note:
Default:
Support for DES-CBC3-SHA.
Do not use this security policy unless you must support a legacy client that requires the DES-CBC3-SHA cipher, which is a weak cipher.
Jsii::Enum.new("aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy", "LEGACY")