Enum SslPolicy
- All Implemented Interfaces:
Serializable,Comparable<SslPolicy>,java.lang.constant.Constable
@Generated(value="jsii-pacmak/1.127.0 (build 2117ad5)",
date="2026-04-02T21:55:11.031Z")
@Stability(Stable)
public enum SslPolicy
extends Enum<SslPolicy>
Elastic Load Balancing provides the following security policies for Application Load Balancers.
We recommend the Recommended policy for general use. You can use the ForwardSecrecy policy if you require Forward Secrecy (FS).
You can use one of the TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.
Example:
import software.amazon.awscdk.services.certificatemanager.Certificate;
import software.amazon.awscdk.services.ec2.InstanceType;
import software.amazon.awscdk.services.ecs.Cluster;
import software.amazon.awscdk.services.ecs.ContainerImage;
import software.amazon.awscdk.services.elasticloadbalancingv2.ApplicationProtocol;
import software.amazon.awscdk.services.elasticloadbalancingv2.SslPolicy;
import software.amazon.awscdk.services.route53.PublicHostedZone;
Vpc vpc = Vpc.Builder.create(this, "Vpc").maxAzs(1).build();
ApplicationMultipleTargetGroupsFargateService loadBalancedFargateService = ApplicationMultipleTargetGroupsFargateService.Builder.create(this, "myService")
.cluster(Cluster.Builder.create(this, "EcsCluster").vpc(vpc).build())
.memoryLimitMiB(256)
.taskImageOptions(ApplicationLoadBalancedTaskImageProps.builder()
.image(ContainerImage.fromRegistry("amazon/amazon-ecs-sample"))
.build())
.enableExecuteCommand(true)
.loadBalancers(List.of(ApplicationLoadBalancerProps.builder()
.name("lb")
.idleTimeout(Duration.seconds(400))
.domainName("api.example.com")
.domainZone(PublicHostedZone.Builder.create(this, "HostedZone").zoneName("example.com").build())
.listeners(List.of(ApplicationListenerProps.builder()
.name("listener")
.protocol(ApplicationProtocol.HTTPS)
.certificate(Certificate.fromCertificateArn(this, "Cert", "helloworld"))
.sslPolicy(SslPolicy.TLS12_EXT)
.build()))
.build(), ApplicationLoadBalancerProps.builder()
.name("lb2")
.idleTimeout(Duration.seconds(120))
.domainName("frontend.com")
.domainZone(PublicHostedZone.Builder.create(this, "HostedZone").zoneName("frontend.com").build())
.listeners(List.of(ApplicationListenerProps.builder()
.name("listener2")
.protocol(ApplicationProtocol.HTTPS)
.certificate(Certificate.fromCertificateArn(this, "Cert2", "helloworld"))
.sslPolicy(SslPolicy.TLS12_EXT)
.build()))
.build()))
.targetGroups(List.of(ApplicationTargetProps.builder()
.containerPort(80)
.listener("listener")
.build(), ApplicationTargetProps.builder()
.containerPort(90)
.pathPattern("a/b/c")
.priority(10)
.listener("listener")
.build(), ApplicationTargetProps.builder()
.containerPort(443)
.listener("listener2")
.build(), ApplicationTargetProps.builder()
.containerPort(80)
.pathPattern("a/b/c")
.priority(10)
.listener("listener2")
.build()))
.build();
- See Also:
-
Nested Class Summary
Nested classes/interfaces inherited from class java.lang.Enum
Enum.EnumDesc<E extends Enum<E>> -
Enum Constant Summary
Enum ConstantsEnum ConstantDescriptionTLS1.0 through 1.3 with all ciphers.TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM.TLS1.1 through 1.3 with all ciphers.TLS 1.2 and 1.3 with ECDHE SHA/GCM ciphers, excluding SHA1 ciphers.TLS 1.2 and 1.3 with all ECDHE ciphers.TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.TLS 1.2 and 1.3 with all AES and ECDHE ciphers excluding SHA1 ciphers.TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.TLS 1.2 and 1.3 with all ciphers.TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.TLS 1.2 and 1.3 with AES and ECDHE GCM/SHA ciphers.TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.TLS 1.3 only with AES 128 and 256 GCM SHA ciphers.TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM.Forward secrecy ciphers only.Forward secrecy ciphers only with TLS1.1 and 1.2.Forward secrecy ciphers and TLS1.2 only.Strong forward secrecy ciphers and TLS1.2 only.Strong foward secrecy ciphers and TLV1.2 only (2020 edition).Support for DES-CBC3-SHA.The recommended policy for http listeners.The recommended security policy for TLS listeners.TLS1.1 and 1.2 with all ciphers.TLS1.2 only and no SHA ciphers.TLS1.2 only with all ciphers.TLS1.0 through 1.3 with all ciphers.TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM.TLS1.1 through 1.3 with all ciphers.TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.TLS 1.3 and 1.2 with post-quantum hybrid key exchange using ML-KEM.TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.TLS1.3 only.TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM.TLS1.2 and 1.3 and no SHA ciphers.TLS1.2 and 1.3 with all ciphers.TLS1.2 and 1.3. -
Method Summary
-
Enum Constant Details
-
RECOMMENDED_TLS
The recommended security policy for TLS listeners. This is the default policy for listeners created using the AWS Management Console.This policy includes TLS 1.3, and is backwards compatible with TLS 1.2
When feature flag
-
TLS13_12_PQ
TLS 1.3 and 1.2 with post-quantum hybrid key exchange using ML-KEM.This uses the non-restricted variant (without -Res-) to maintain AES-CBC cipher support for TLS 1.2 clients, ensuring backward compatibility.
- See Also:
-
RECOMMENDED
The recommended policy for http listeners.This is the default security policy for listeners created using the AWS CLI
-
TLS13_RES
TLS1.2 and 1.3. -
TLS13_EXT1
TLS1.2 and 1.3 and no SHA ciphers. -
TLS13_EXT2
TLS1.2 and 1.3 with all ciphers. -
TLS13_10
TLS1.0 through 1.3 with all ciphers. -
TLS13_11
TLS1.1 through 1.3 with all ciphers. -
TLS13_13
TLS1.3 only. -
TLS13_13_PQ
TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM.- See Also:
-
TLS13_12_RES_PQ
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.Restricted cipher suite for enhanced security with quantum resistance. Removes AES-CBC algorithms. AWS Console default policy for post-quantum cryptography.
- See Also:
-
TLS13_12_EXT1_PQ
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.Extended cipher suite 1 with quantum resistance.
- See Also:
-
TLS13_12_EXT2_PQ
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.Extended cipher suite 2 with quantum resistance.
- See Also:
-
TLS13_10_PQ
TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM.- See Also:
-
FIPS_TLS13_13
TLS 1.3 only with AES 128 and 256 GCM SHA ciphers. -
FIPS_TLS13_12_RES
TLS 1.2 and 1.3 with AES and ECDHE GCM/SHA ciphers. -
FIPS_TLS13_12
TLS 1.2 and 1.3 with ECDHE SHA/GCM ciphers, excluding SHA1 ciphers. -
FIPS_TLS13_12_EXT0
TLS 1.2 and 1.3 with all ECDHE ciphers. -
FIPS_TLS13_12_EXT1
TLS 1.2 and 1.3 with all AES and ECDHE ciphers excluding SHA1 ciphers. -
FIPS_TLS13_12_EXT2
TLS 1.2 and 1.3 with all ciphers. -
FIPS_TLS13_11
TLS1.1 through 1.3 with all ciphers. -
FIPS_TLS13_10
TLS1.0 through 1.3 with all ciphers. -
FIPS_TLS13_13_PQ
TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM.FIPS-compliant with quantum resistance.
- See Also:
-
FIPS_TLS13_12_PQ
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.FIPS-compliant with quantum resistance.
- See Also:
-
FIPS_TLS13_12_RES_PQ
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.Restricted cipher suite for enhanced security with quantum resistance. FIPS-compliant. AWS recommended policy for post-quantum cryptography with FIPS.
- See Also:
-
FIPS_TLS13_12_EXT0_PQ
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.Extended cipher suite 0 with quantum resistance. FIPS-compliant.
- See Also:
-
FIPS_TLS13_12_EXT1_PQ
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.Extended cipher suite 1 with quantum resistance. FIPS-compliant.
- See Also:
-
FIPS_TLS13_12_EXT2_PQ
TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM.Extended cipher suite 2 with quantum resistance. FIPS-compliant.
- See Also:
-
FIPS_TLS13_10_PQ
TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM.FIPS-compliant with quantum resistance.
- See Also:
-
FORWARD_SECRECY_TLS12_RES_GCM
Strong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers. -
FORWARD_SECRECY_TLS12_RES
Strong forward secrecy ciphers and TLS1.2 only. -
FORWARD_SECRECY_TLS12
Forward secrecy ciphers and TLS1.2 only. -
FORWARD_SECRECY_TLS11
Forward secrecy ciphers only with TLS1.1 and 1.2. -
FORWARD_SECRECY
Forward secrecy ciphers only. -
TLS12
TLS1.2 only and no SHA ciphers. -
TLS12_EXT
TLS1.2 only with all ciphers. -
TLS11
TLS1.1 and 1.2 with all ciphers. -
LEGACY
Support for DES-CBC3-SHA.Do not use this security policy unless you must support a legacy client that requires the DES-CBC3-SHA cipher, which is a weak cipher.
-
-
Method Details
-
values
Returns an array containing the constants of this enum type, in the order they are declared.- Returns:
- an array containing the constants of this enum type, in the order they are declared
-
valueOf
Returns the enum constant of this type with the specified name. The string must match exactly an identifier used to declare an enum constant in this type. (Extraneous whitespace characters are not permitted.)- Parameters:
name- the name of the enum constant to be returned.- Returns:
- the enum constant with the specified name
- Throws:
IllegalArgumentException- if this enum type has no constant with the specified nameNullPointerException- if the argument is null
-