本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Application Load Balancer 的安全政策
Elastic Load Balancing 使用 Secure Sockets Layer (SSL) 交涉組態 (稱為安全政策),在用戶端與負載平衡器之間交涉 SSL 連線。安全政策為通訊協定與加密的組合。通訊協定會在用戶端和伺服器之間建立安全連線,並確保用戶端和負載平衡器之間傳遞的所有資料都是私有的。密碼是一種加密演算法,使用加密金鑰來建立編碼的訊息。通訊協定使用多個密碼來加密網際網路上的資料。在連線交涉程序期間,用戶端與負載平衡器會出示它們分別支援的加密和通訊協定的清單 (以偏好的順序)。在預設情況下,將針對安全連線選取伺服器清單上符合任何用戶端加密的第一個加密。
**考量事項**
+ HTTPS 接聽程式需要安全政策。如果您在建立接聽程式時未指定安全政策,我們會使用預設的安全政策。預設安全政策取決於您建立 HTTPS 接聽程式的方式:
+ **主控台** – 預設安全政策為 `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`。
+ **其他方法** (例如 AWS CLI AWS CloudFormation和 AWS CDK) – 預設安全政策為 `ELBSecurityPolicy-2016-08`。
+ 若要檢視連線請求至負載平衡器的 TLS 通訊協定版本 (日誌欄位位置 5) 和金鑰交換 (日誌欄位位置 13),請啟用連線記錄並檢查對應的日誌項目。如需詳細資訊,請參閱[連線日誌](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-connection-logs.html)。
+ 名稱中具有 PQ 的安全政策提供混合式後量子金鑰交換。為了相容性,它們支援傳統和後量子 ML-KEM 金鑰交換演算法。用戶端必須支援 ML-KEM 金鑰交換,才能使用混合式後量子 TLS 進行金鑰交換。混合式後量子政策支援 SecP256r1MLKEM768, SecP384r1MLKEM1024和 X25519MLKEM768 演算法。如需詳細資訊,請參閱[後量子密碼編譯](https://aws.amazon.com/security/post-quantum-cryptography/)。
+ AWS 建議實作新的後量子 TLS (PQ-TLS) 型安全政策 `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`或 `ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09`。此政策透過支援僅能夠交涉混合 PQ-TLS、TLS 1.3 或 TLS 1.2 的用戶端來確保回溯相容性,從而最大限度地減少轉換為量子後密碼編譯期間的服務中斷。隨著用戶端應用程式開發交涉 PQ-TLS 以進行金鑰交換操作的能力,您可以逐步遷移至更嚴格的安全政策。
+ 若要符合需要停用特定 TLS 通訊協定版本的合規和安全標準,或支援需要已棄用密碼的舊版用戶端,您可以使用其中一個`ELBSecurityPolicy-TLS-`安全政策。若要檢視 Application Load Balancer 請求的 TLS 通訊協定版本,請啟用負載平衡器的存取記錄,並檢查對應的存取日誌項目。如需詳細資訊,請參閱[存取日誌](load-balancer-access-logs.md)。
+ 您可以分別在 IAM 和服務控制政策 (SCPs) 中使用 [ Elastic Load Balancing 條件金鑰](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html) AWS 帳戶 ,來限制哪些安全政策可供 AWS Organizations 和 的使用者使用。如需詳細資訊,請參閱《AWS Organizations 使用者指南》**中的[服務控制政策 (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)。
+ 僅支援 TLS 1.3 的政策支援轉送秘密 (FS)。支援僅具有 TLS\$1\$1 和 ECDHE\$1\$1 格式密碼的 TLS 1.3 和 TLS 1.2 的政策也提供 FS。
+ Application Load Balancer 支援使用 PSK (TLS 1.3) 和工作階段 IDs/工作階段票證 (TLS 1.2 及更舊版本) 的 TLS 恢復。只有在連線到相同的 Application Load Balancer IP 地址時,才支援恢復。0-RTT 資料功能和 early\$1data 延伸未實作。
+ Application Load Balancers 不支援自訂安全政策。
+ Application Load Balancers 僅支援目標連線的 SSL 重新交涉。
**相容性**
+ 連接到相同負載平衡器的所有安全接聽程式都必須使用相容的安全政策。若要將負載平衡器的所有安全接聽程式遷移至與目前正在使用的安全政策不相容的安全政策,請移除其中一個安全接聽程式以外的所有安全接聽程式、變更安全接聽程式的安全政策,然後建立其他安全接聽程式。
+ FIPS 後量子 TLS 政策和 FIPS 政策 - **相容**
+ 後量子 TLS 政策和 FIPS 或 FIPS 後量子 TLS 政策 - **相容**
+ TLS 政策 (非 FIPS、non-post-quantum) 和 FIPS 或 FIPS 後量子 TLS 政策 - **不相容**
+ TLS 政策 (非 FIPS、non-post-quantum和後量子 TLS 政策 - **不相容**
**後端連線**
+ 您可以選擇用於前端連線的安全政策,但不能選擇後端連線。後端連線的安全政策取決於接聽程式安全政策。如果有任何接聽程式正在使用:
+ **FIPS 後量子 TLS 政策** - 後端連線使用 `ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09`
+ **FIPS 政策** - 後端連線使用 `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04`
+ **後量子 TLS 政策** - 後端連線使用 `ELBSecurityPolicy-TLS13-1-0-PQ-2025-09`
+ **TLS 1.3 政策** - 後端連線使用 `ELBSecurityPolicy-TLS13-1-0-2021-06`
+ **其他 TLS 政策** - 後端連線使用 `ELBSecurityPolicy-2016-08`
**Contents**
+ [describe-ssl-policies 命令範例](#describe-ssl-policies-examples)
+ [TLS 安全政策](#tls-security-policies)
+ [依政策的通訊協定](#tls-protocols)
+ [政策的 Ciphers](#tls-policy-ciphers)
+ [依密碼排列的政策](#tls-cipher-policies)
+ [FIPS 安全政策](#fips-security-policies)
+ [依政策的通訊協定](#fips-protocols)
+ [依政策的 Ciphers](#fips-policy-ciphers)
+ [依密碼排列的政策](#fips-cipher-policies)
+ [FS 支援的政策](#fs-supported-policies)
+ [依政策的通訊協定](#fs-protocols)
+ [依政策的 Ciphers](#fs-policy-ciphers)
+ [依密碼排列的政策](#fs-cipher-policies)
## describe-ssl-policies 命令範例
您可以使用 [describe-ssl-policies](https://docs.aws.amazon.com/cli/latest/reference/elbv2/describe-ssl-policies.html) AWS CLI 命令,描述安全政策的通訊協定和密碼,或尋找符合您需求的政策。
下列範例說明指定的政策。
```
aws elbv2 describe-ssl-policies \
--names "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"
```
下列範例列出政策名稱中具有指定字串的政策。
```
aws elbv2 describe-ssl-policies \
--query "SslPolicies[?contains(Name,'FIPS')].Name"
```
下列範例列出支援指定通訊協定的政策。
```
aws elbv2 describe-ssl-policies \
--query "SslPolicies[?contains(SslProtocols,'TLSv1.3')].Name"
```
下列範例列出支援指定密碼的政策。
```
aws elbv2 describe-ssl-policies \
--query "SslPolicies[?Ciphers[?contains(Name,'TLS_AES_128_GCM_SHA256')]].Name"
```
下列範例列出不支援指定密碼的政策。
```
aws elbv2 describe-ssl-policies \
--query 'SslPolicies[?length(Ciphers[?starts_with(Name,`AES128-GCM-SHA256`)]) == `0`].Name'
```
## TLS 安全政策
您可以使用 TLS 安全政策來符合需要停用特定 TLS 通訊協定版本的合規和安全標準,或支援需要已棄用密碼的舊版用戶端。
僅支援 TLS 1.3 的政策支援轉送秘密 (FS)。支援僅具有 TLS\$1\$1 和 ECDHE\$1\$1 格式密碼的 TLS 1.3 和 TLS 1.2 的政策也提供 FS。
**Topics**
+ [依政策的通訊協定](#tls-protocols)
+ [政策的 Ciphers](#tls-policy-ciphers)
+ [依密碼排列的政策](#tls-cipher-policies)
### 依政策的通訊協定
下表說明每個 TLS 安全政策支援的通訊協定。
| 安全政策 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
| --- | --- | --- | --- | --- |
| ELBSecurityPolicy-TLS13-1-3-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Res-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-1-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-0-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 |
| ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 |
| ELBSecurityPolicy-TLS-1-2-Ext-2018-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS-1-2-2017-01 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS-1-1-2017-01 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-2016-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 |
### 政策的 Ciphers
下表說明每個 TLS 安全政策支援的加密。
| 安全政策 | 加密方式 |
| --- | --- |
| ELBSecurityPolicy-TLS13-1-3-2021-06 ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-2021-06 ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Res-2021-06 ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-1-2021-06 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-0-2021-06 ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS-1-2-Ext-2018-06 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS-1-2-2017-01 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS-1-1-2017-01 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-2016-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
### 依密碼排列的政策
下表說明支援每個密碼的 TLS 安全政策。
| 密碼名稱 | 安全政策 | 密碼套件 |
| --- | --- | --- |
| **OpenSSL** – TLS\$1AES\$1128\$1GCM\$1SHA256 **IANA** – TLS\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 1301 |
| **OpenSSL** – TLS\$1AES\$1256\$1GCM\$1SHA384 **IANA** – TLS\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 1302 |
| **OpenSSL** – TLS\$1CHACHA20\$1POLY1305\$1SHA256 **IANA** – TLS\$1CHA20\$1POLY1305\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 1303 |
| **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c02b |
| **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c02f |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c023 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c027 |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c009 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c013 |
| **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c02c |
| **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c030 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c024 |
| **OpenSSL** – ECDHE-RSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c028 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c00a |
| **OpenSSL** – ECDHE-RSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c014 |
| **OpenSSL** – AES128-GCM-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 9c |
| **OpenSSL** – AES128-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 3c |
| **OpenSSL** – AES128-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 2f |
| **OpenSSL** – AES256-GCM-SHA384 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 9d |
| **OpenSSL** – AES256-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 3d |
| **OpenSSL** – AES256-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 35 |
## FIPS 安全政策
聯邦資訊處理標準 (FIPS) 是美國和加拿大政府標準,指定保護敏感資訊之密碼編譯模組的安全要求。若要進一步了解,請參閱*AWS 雲端安全合規*頁面上的[聯邦資訊處理標準 (FIPS) 140](https://aws.amazon.com/compliance/fips/)。
所有 FIPS 政策都利用 AWS-LC FIPS 驗證的密碼編譯模組。若要進一步了解,請參閱 NIST [ 密碼編譯模組驗證計劃網站上的 AWS-LC](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) 密碼編譯模組頁面。 **
**重要**
政策和 `ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04` `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04` 僅供舊版相容性使用。雖然他們使用 FIPS140 模組來使用 FIPS 密碼編譯,但可能不符合 TLS 組態的最新 NIST 指引。
**Topics**
+ [依政策的通訊協定](#fips-protocols)
+ [依政策的 Ciphers](#fips-policy-ciphers)
+ [依密碼排列的政策](#fips-cipher-policies)
### 依政策的通訊協定
下表說明每個 FIPS 安全政策支援的通訊協定。
| 安全政策 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
| --- | --- | --- | --- | --- |
| ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 |
| ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 |
### 依政策的 Ciphers
下表說明每個 FIPS 安全政策支援的加密。
| 安全政策 | 加密方式 |
| --- | --- |
| ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
### 依密碼排列的政策
下表說明支援每個密碼的 FIPS 安全政策。
| 密碼名稱 | 安全政策 | 密碼套件 |
| --- | --- | --- |
| **OpenSSL** – TLS\$1AES\$1128\$1GCM\$1SHA256 **IANA** – TLS\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 1301 |
| **OpenSSL** – TLS\$1AES\$1256\$1GCM\$1SHA384 **IANA** – TLS\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 1302 |
| **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c02b |
| **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c02f |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c023 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c027 |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c009 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c013 |
| **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c02c |
| **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c030 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c024 |
| **OpenSSL** – ECDHE-RSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c028 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c00a |
| **OpenSSL** – ECDHE-RSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c014 |
| **OpenSSL** – AES128-GCM-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 9c |
| **OpenSSL** – AES128-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 3c |
| **OpenSSL** – AES128-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 2f |
| **OpenSSL** – AES256-GCM-SHA384 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 9d |
| **OpenSSL** – AES256-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 3d |
| **OpenSSL** – AES256-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | 35 |
## FS 支援的政策
FS (Forward Secrecy) 支援的安全政策透過使用唯一的隨機工作階段金鑰,提供額外的保護,防止加密資料的竊聽。這可防止對擷取的資料進行解碼,即使秘密長期金鑰遭到入侵也一樣。
本節中的政策支援 FS,且「FS」包含在其名稱中。不過,這些並非支援 FS 的唯一政策。僅支援 TLS 1.3 的政策支援 FS。支援僅具有 TLS\$1\$1 和 ECDHE\$1\$1 格式密碼的 TLS 1.3 和 TLS 1.2 的政策也提供 FS。
**Topics**
+ [依政策的通訊協定](#fs-protocols)
+ [依政策的 Ciphers](#fs-policy-ciphers)
+ [依密碼排列的政策](#fs-cipher-policies)
### 依政策的通訊協定
下表說明每個 FS 支援的安全政策支援的通訊協定。
| 安全政策 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
| --- | --- | --- | --- | --- |
| ELBSecurityPolicy-FS-1-2-Res-2020-10 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-FS-1-2-Res-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-FS-1-2-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-FS-1-1-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 |
| ELBSecurityPolicy-FS-2018-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/negative_icon.svg) 否 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/images/success_icon.svg) 是 |
### 依政策的 Ciphers
下表說明每個 FS 支援的安全政策支援的密碼。
| 安全政策 | 加密方式 |
| --- | --- |
| ELBSecurityPolicy-FS-1-2-Res-2020-10 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-FS-1-2-Res-2019-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-FS-1-2-2019-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-FS-1-1-2019-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
| ELBSecurityPolicy-FS-2018-06 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
### 依密碼排列的政策
下表說明支援每個密碼的 FS 支援安全政策。
| 密碼名稱 | 安全政策 | 密碼套件 |
| --- | --- | --- |
| **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c02b |
| **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c02f |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c023 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c027 |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c009 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c013 |
| **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c02c |
| **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c030 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c024 |
| **OpenSSL** – ECDHE-RSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c028 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c00a |
| **OpenSSL** – ECDHE-RSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/application/describe-ssl-policies.html) | c014 |