AWS ALB – prevent usage of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256


I use AWS ALB. I configured it to the strictest security policy which is “FS 1.2 res” and as described here it still supports ECDHE-RSA-AES128-SHA256 and ECDHE-RSA-AES256-SHA384


These are considered weak. Is there a way to avoid supporting them while using AWS?

Update: AWS added ELBSecurityPolicy-FS-1-2-Res-2020-10 that answers the need


This is the formal answer from AWS

Unfortunately, I regret to say that there isn’t any predefined Security Policy which you can use to avoid supporting the aforementioned weak ciphers in case of both Application Load Balancer (ALB) or Network Load Balancer (NLB). Also, currently ALB or NLB do not support custom security policies.

Having said that, I would like to inform you that there is an active feature request already in place to have an ability to attach custom security policy to an ALB. I can assure you our service team is actively working to add this feature to ALB. We have an internal request to track the feature and I’ve added your voice to the request to expedite the process. However, I don’t have any ETA as when this feature request will be released due to various validation and regression testing process that all the feature requests go through.


For now the only workaround would be to use a Classic Load Balancer(CLB), which supports attaching Custom security policies[1] and you can also enable Server Order Preference[2]. In this case, the ELB selects the first cipher in its list that is in the client’s list of ciphers. This ensures that the load balancer determines which cipher is used for SSL connection. If you do not enable Server Order Preference, the order of ciphers presented by the client is used to negotiate connections between the client and the load balancer.

However, please note that CLB does not offer robust features as ALB.

AWS added ELBSecurityPolicy-FS-1-2-Res-2020-10 that answers the need

Leave a Reply