# Security policies for your Network Load Balancer
<a name="describe-ssl-policies"></a>

When you create a TLS listener, you must select a security policy. A security policy determines which ciphers and protocols are supported during SSL negotiations between your load balancer and clients. You can update the security policy for your load balancer if your requirements change or when we release a new security policy. For more information, see [Update the security policy](listener-update-certificates.md#update-security-policy).

**Considerations**
+ A TLS listener requires a security policy. If you do not specify a security policy when you create the listener, we use the default security policy. The default security policy depends on how you created the TLS listener:
  + **Console** – The default security policy is `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`.
  + **Other methods** (for example, the AWS CLI, AWS CloudFormation, and the AWS CDK) – The default security policy is `ELBSecurityPolicy-2016-08`.
+ Security policies with PQ in their names offer hybrid post-quantum key exchange. For compatibility, they support both classical and post-quantum ML-KEM key exchange algorithms. Clients must support the ML-KEM key exchange to use hybrid post-quantum TLS for key exchange. The hybrid post-quantum policies support SecP256r1MLKEM768, SecP384r1MLKEM1024 and X25519MLKEM768 algorithms. For more information, see [Post-quantum Cryptography](https://aws.amazon.com/security/post-quantum-cryptography/).
+ AWS recommends implementing the new post-quantum TLS (PQ-TLS) based security policy  `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09` or `ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09`. This policy ensures backward compatibility by supporting clients capable of negotiating hybrid PQ-TLS, TLS 1.3 only, or TLS 1.2 only, thereby minimizing service disruption during the transition to post-quantum cryptography. You can progressively migrate to more restrictive security policies as your client applications develop the capability to negotiate PQ-TLS for key exchange operations.
+ You can enable access logs for information about the TLS requests sent to your Network Load Balancer, analyze TLS traffic patterns, manage security policy upgrades, and troubleshoot issues. Enable access logging for your load balancer and examine the corresponding access log entries. For more information, see [Access logs](load-balancer-access-logs.md) and [Network Load Balancer Example Queries](https://docs.aws.amazon.com/athena/latest/ug/networkloadbalancer-classic-logs.html#query-nlb-example).
+ To view the TLS protocol version (log field position 5) and key exchange (log field position 13) for access requests to your load balancer, enable access logging and examine the corresponding log entries. For more information, see [Access logs](load-balancer-access-logs.md).
+ You can restrict which security policies are available to users across your AWS accounts and AWS Organizations by using the [ Elastic Load Balancing condition keys](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html) in your IAM and service control policies (SCPs), respectively. For more information, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ Policies that support only TLS 1.3 support Forward Secrecy (FS). Policies that support TLS 1.3 and TLS 1.2 that have only ciphers of the form TLS\$1\$1 and ECDHE\$1\$1 also provide FS.
+ Network Load Balancers support the Extended Master Secret (EMS) extension for TLS 1.2.

**Backend Connections**

You can choose the security policy that is used for front-end connections, but not backend connections. The security policy for backend connections depends on the listener's security policy. If any of your listeners are using:
+ **FIPS post-quantum TLS policy** - Backend connections use `ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09`
+ **FIPS policy** - Backend connections use `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04`
+ **Post-quantum TLS policy** - Backend connections use `ELBSecurityPolicy-TLS13-1-0-PQ-2025-09`
+ **TLS 1.3 policy** - Backend connections use `ELBSecurityPolicy-TLS13-1-0-2021-06`
+ All other TLS policies backend connections use `ELBSecurityPolicy-2016-08`

You can describe the protocols and ciphers using the [describe-ssl-policies](https://docs.aws.amazon.com/cli/latest/reference/elbv2/describe-ssl-policies.html) AWS CLI command, or refer to the tables below.

**Contents**
+ [TLS security policies](#tls-security-policies)
  + [Protocols by policy](#tls-protocols)
  + [Ciphers by policy](#tls-policy-ciphers)
  + [Policies by cipher](#tls-cipher-policies)
+ [FIPS security policies](#fips-security-policies)
  + [Protocols by policy](#fips-protocols)
  + [Ciphers by policy](#fips-policy-ciphers)
  + [Policies by cipher](#fips-cipher-policies)
+ [FS supported security policies](#fs-security-policies)
  + [Protocols by policy](#fs-protocols)
  + [Ciphers by policy](#fs-policy-ciphers)
  + [Policies by cipher](#fs-cipher-policies)

## TLS security policies
<a name="tls-security-policies"></a>

You can use the TLS security policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.

Policies that support only TLS 1.3 support Forward Secrecy (FS). Policies that support TLS 1.3 and TLS 1.2 that have only ciphers of the form TLS\$1\$1 and ECDHE\$1\$1 also provide FS.

**Topics**
+ [Protocols by policy](#tls-protocols)
+ [Ciphers by policy](#tls-policy-ciphers)
+ [Policies by cipher](#tls-cipher-policies)

### Protocols by policy
<a name="tls-protocols"></a>

The following table describes the protocols that each TLS security policy supports.


| Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | 
| --- | --- | --- | --- | --- | 
| ELBSecurityPolicy-TLS13-1-3-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Res-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-1-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-0-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | 
| ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | 
| ELBSecurityPolicy-TLS-1-2-Ext-2018-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS-1-2-2017-01 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS-1-1-2017-01 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-2016-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | 
| ELBSecurityPolicy-2015-05 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | 

### Ciphers by policy
<a name="tls-policy-ciphers"></a>

The following table describes the ciphers that each TLS security policy supports.


| Security policy | Ciphers | 
| --- | --- | 
|  ELBSecurityPolicy-TLS13-1-3-2021-06 ELBSecurityPolicy-TLS13-1-3-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-2-2021-06 ELBSecurityPolicy-TLS13-1-2-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-2-Res-2021-06 ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-1-2021-06 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-0-2021-06 ELBSecurityPolicy-TLS13-1-0-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS-1-2-Ext-2018-06 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS-1-2-2017-01 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS-1-1-2017-01 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-2016-08 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-2015-05 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 

### Policies by cipher
<a name="tls-cipher-policies"></a>

The following table describes the TLS security policies that support each cipher.


| Cipher name | Security policies | Cipher suite | 
| --- | --- | --- | 
|  **OpenSSL** – TLS\$1AES\$1128\$1GCM\$1SHA256 **IANA** – TLS\$1AES\$1128\$1GCM\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 1301 | 
|  **OpenSSL** – TLS\$1AES\$1256\$1GCM\$1SHA384 **IANA** – TLS\$1AES\$1256\$1GCM\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 1302 | 
|  **OpenSSL** – TLS\$1CHACHA20\$1POLY1305\$1SHA256 **IANA** – TLS\$1CHACHA20\$1POLY1305\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 1303 | 
|  **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c02b | 
|  **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c02f | 
|  **OpenSSL** – ECDHE-ECDSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c023 | 
|  **OpenSSL** – ECDHE-RSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c027 | 
|  **OpenSSL** – ECDHE-ECDSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c009 | 
|  **OpenSSL** – ECDHE-RSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c013 | 
|  **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c02c | 
|  **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c030 | 
|  **OpenSSL** – ECDHE-ECDSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c024 | 
|  **OpenSSL** – ECDHE-RSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c028 | 
|  **OpenSSL** – ECDHE-ECDSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c00a | 
|  **OpenSSL** – ECDHE-RSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c014 | 
|  **OpenSSL** – AES128-GCM-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 9c | 
|  **OpenSSL** – AES128-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 3c | 
|  **OpenSSL** – AES128-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 2f | 
|  **OpenSSL** – AES256-GCM-SHA384 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 9d | 
|  **OpenSSL** – AES256-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 3d | 
|  **OpenSSL** – AES256-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 35 | 

## FIPS security policies
<a name="fips-security-policies"></a>

The Federal Information Processing Standard (FIPS) is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. To learn more, see [Federal Information Processing Standard (FIPS) 140](https://aws.amazon.com/compliance/fips/) on the *AWS Cloud Security Compliance* page.

All FIPS policies leverage the AWS-LC FIPS validated cryptographic module. To learn more, see the [ AWS-LC Cryptographic Module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) page on the *NIST Cryptographic Module Validation Program* site.

**Important**  
Policies `ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04` and `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04` are provided for legacy compatibility only. While they utilize FIPS cryptography using the FIPS140 module, they may not conform to the latest NIST guidance for TLS configuration.

**Topics**
+ [Protocols by policy](#fips-protocols)
+ [Ciphers by policy](#fips-policy-ciphers)
+ [Policies by cipher](#fips-cipher-policies)

### Protocols by policy
<a name="fips-protocols"></a>

The following table describes the protocols that each FIPS security policy supports.


| Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | 
| --- | --- | --- | --- | --- | 
| ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09  | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | 
| ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | 

### Ciphers by policy
<a name="fips-policy-ciphers"></a>

The following table describes the ciphers that each FIPS security policy supports.


| Security policy | Ciphers | 
| --- | --- | 
|  ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09   |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
|  ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 

### Policies by cipher
<a name="fips-cipher-policies"></a>

The following table describes the FIPS security policies that support each cipher.


| Cipher name | Security policies | Cipher suite | 
| --- | --- | --- | 
|  **OpenSSL** – TLS\$1AES\$1128\$1GCM\$1SHA256 **IANA** – TLS\$1AES\$1128\$1GCM\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 1301 | 
|  **OpenSSL** – TLS\$1AES\$1256\$1GCM\$1SHA384 **IANA** – TLS\$1AES\$1256\$1GCM\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 1302 | 
|  **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c02b | 
|  **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c02f | 
|  **OpenSSL** – ECDHE-ECDSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c023 | 
|  **OpenSSL** – ECDHE-RSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c027 | 
|  **OpenSSL** – ECDHE-ECDSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c009 | 
|  **OpenSSL** – ECDHE-RSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c013 | 
|  **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c02c | 
|  **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c030 | 
|  **OpenSSL** – ECDHE-ECDSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c024 | 
|  **OpenSSL** – ECDHE-RSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c028 | 
|  **OpenSSL** – ECDHE-ECDSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c00a | 
|  **OpenSSL** – ECDHE-RSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c014 | 
|  **OpenSSL** – AES128-GCM-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 9c | 
|  **OpenSSL** – AES128-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 3c | 
|  **OpenSSL** – AES128-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 2f | 
|  **OpenSSL** – AES256-GCM-SHA384 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 9d | 
|  **OpenSSL** – AES256-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 3d | 
|  **OpenSSL** – AES256-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 35 | 

## FS supported security policies
<a name="fs-security-policies"></a>

FS (Forward Secrecy) supported security policies provide additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.

The policies in this section support FS, and "FS" is included in their names. However, these are not the only policies that support FS. Policies that support only TLS 1.3 support FS. Policies that support TLS 1.3 and TLS 1.2 that have only ciphers of the form TLS\$1\$1 and ECDHE\$1\$1 also provide FS.

**Topics**
+ [Protocols by policy](#fs-protocols)
+ [Ciphers by policy](#fs-policy-ciphers)
+ [Policies by cipher](#fs-cipher-policies)

### Protocols by policy
<a name="fs-protocols"></a>

The following table describes the protocols that each FS supported security policy supports.


| Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | 
| --- | --- | --- | --- | --- | 
| ELBSecurityPolicy-FS-1-2-Res-2020-10 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-FS-1-2-Res-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-FS-1-2-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-FS-1-1-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | 
| ELBSecurityPolicy-FS-2018-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.png) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.png) Yes | 

### Ciphers by policy
<a name="fs-policy-ciphers"></a>

The following table describes the ciphers that each FS supported security policy supports.


| Security policy | Ciphers | 
| --- | --- | 
| ELBSecurityPolicy-FS-1-2-Res-2020-10 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-FS-1-2-Res-2019-08 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-FS-1-2-2019-08 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-FS-1-1-2019-08 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-FS-2018-06 |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | 

### Policies by cipher
<a name="fs-cipher-policies"></a>

The following table describes the FS supported security policies that support each cipher.


| Cipher name | Security policies | Cipher suite | 
| --- | --- | --- | 
|  **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c02b | 
|  **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c02f | 
|  **OpenSSL** – ECDHE-ECDSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c023 | 
|  **OpenSSL** – ECDHE-RSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c027 | 
|  **OpenSSL** – ECDHE-ECDSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c009 | 
|  **OpenSSL** – ECDHE-RSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c013 | 
|  **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c02c | 
|  **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c030 | 
|  **OpenSSL** – ECDHE-ECDSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c024 | 
|  **OpenSSL** – ECDHE-RSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c028 | 
|  **OpenSSL** – ECDHE-ECDSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c00a | 
|  **OpenSSL** – ECDHE-RSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html)  | c014 |