本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Network Load Balancer 的安全政策
建立 TLS 接聽程式時,您必須選取安全政策。安全政策會決定在負載平衡器和用戶端之間的 SSL 交涉期間支援哪些加密和通訊協定。如果您的需求變更或當我們發佈新的安全政策時,您可以更新負載平衡器的安全政策。如需詳細資訊,請參閱[更新安全政策](listener-update-certificates.md#update-security-policy)。
**考量事項**
+ TLS 接聽程式需要安全政策。如果您在建立接聽程式時未指定安全政策,我們會使用預設的安全政策。預設安全政策取決於您建立 TLS 接聽程式的方式:
+ **主控台** – 預設安全政策為 `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`。
+ **其他方法** (例如 AWS CLI AWS CloudFormation和 AWS CDK) – 預設安全政策為 `ELBSecurityPolicy-2016-08`。
+ 名稱中具有 PQ 的安全政策提供混合式後量子金鑰交換。為了相容性,它們支援傳統和後量子 ML-KEM 金鑰交換演算法。用戶端必須支援 ML-KEM 金鑰交換,才能使用混合式後量子 TLS 進行金鑰交換。混合式後量子政策支援 SecP256r1MLKEM768、SecP384r1MLKEM1024 和 X25519MLKEM768 演算法。如需詳細資訊,請參閱[後量子密碼編譯](https://aws.amazon.com/security/post-quantum-cryptography/)。
+ AWS 建議實作新的後量子 TLS (PQ-TLS) 型安全政策 `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`或 `ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09`。此政策透過支援僅能夠交涉混合 PQ-TLS、TLS 1.3 或 TLS 1.2 的用戶端來確保回溯相容性,從而最大限度地減少轉換為量子後密碼編譯期間的服務中斷。隨著用戶端應用程式開發交涉 PQ-TLS 以進行金鑰交換操作的能力,您可以逐步遷移到更嚴格的安全政策。
+ 您可以啟用存取日誌,以取得傳送至 Network Load Balancer 的 TLS 請求相關資訊、分析 TLS 流量模式、管理安全政策升級,以及疑難排解問題。啟用負載平衡器的存取記錄,並檢查對應的存取日誌項目。如需詳細資訊,請參閱[存取日誌](load-balancer-access-logs.md)和 [Network Load Balancer 範例查詢](https://docs.aws.amazon.com/athena/latest/ug/networkloadbalancer-classic-logs.html#query-nlb-example)。
+ 若要檢視對負載平衡器的存取請求的 TLS 通訊協定版本 (日誌欄位位置 5) 和金鑰交換 (日誌欄位位置 13),請啟用存取記錄並檢查對應的日誌項目。如需詳細資訊,請參閱[存取日誌](load-balancer-access-logs.md)。
+ 您可以分別在 IAM 和服務控制政策 (SCPs) 中使用 [ Elastic Load Balancing 條件金鑰](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html) AWS 帳戶 ,來限制哪些安全政策可供 AWS Organizations 和 的使用者使用。如需詳細資訊,請參閱《AWS Organizations 使用者指南》**中的[服務控制政策 (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)。
+ 僅支援 TLS 1.3 的政策支援轉送秘密 (FS)。支援僅具有 TLS\_\* 和 ECDHE\_\* 格式密碼的 TLS 1.3 和 TLS 1.2 的政策也提供 FS。
+ Network Load Balancer 支援 TLS 1.2 的擴充主機密 (EMS) 延伸。
**後端連線**
您可以選擇用於前端連線的安全政策,但不能選擇後端連線。後端連線的安全政策取決於接聽程式的安全政策。如果有任何接聽程式正在使用:
+ **FIPS 後量子 TLS 政策** - 後端連線使用 `ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09`
+ **FIPS 政策** - 後端連線使用 `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04`
+ **後量子 TLS 政策** - 後端連線使用 `ELBSecurityPolicy-TLS13-1-0-PQ-2025-09`
+ **TLS 1.3 政策** - 後端連線使用 `ELBSecurityPolicy-TLS13-1-0-2021-06`
+ 所有其他 TLS 政策後端連線都使用 `ELBSecurityPolicy-2016-08`
您可以使用 [describe-ssl-policies](https://docs.aws.amazon.com/cli/latest/reference/elbv2/describe-ssl-policies.html) AWS CLI 命令描述通訊協定和密碼,或參考下表。
**Contents**
+ [TLS 安全政策](#tls-security-policies)
+ [依政策的通訊協定](#tls-protocols)
+ [政策的 Ciphers](#tls-policy-ciphers)
+ [依密碼排列的政策](#tls-cipher-policies)
+ [FIPS 安全政策](#fips-security-policies)
+ [依政策的通訊協定](#fips-protocols)
+ [依政策的 Ciphers](#fips-policy-ciphers)
+ [依密碼排列的政策](#fips-cipher-policies)
+ [FS 支援的安全政策](#fs-security-policies)
+ [依政策的通訊協定](#fs-protocols)
+ [政策的 Ciphers](#fs-policy-ciphers)
+ [依密碼排列的政策](#fs-cipher-policies)
## TLS 安全政策
您可以使用 TLS 安全政策來符合需要停用特定 TLS 通訊協定版本的合規和安全標準,或支援需要已棄用密碼的舊版用戶端。
僅支援 TLS 1.3 的政策支援轉送秘密 (FS)。支援僅具有 TLS\_\* 和 ECDHE\_\* 格式密碼的 TLS 1.3 和 TLS 1.2 的政策也提供 FS。
**Topics**
+ [依政策的通訊協定](#tls-protocols)
+ [政策的 Ciphers](#tls-policy-ciphers)
+ [依密碼排列的政策](#tls-cipher-policies)
### 依政策的通訊協定
下表說明每個 TLS 安全政策支援的通訊協定。
| 安全政策 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
| --- | --- | --- | --- | --- |
| ELBSecurityPolicy-TLS13-1-3-2021-06 |  是 |  否 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 |  是 |  否 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-2021-06 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Res-2021-06 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-1-2021-06 |  是 |  是 |  是 |  否 |
| ELBSecurityPolicy-TLS13-1-0-2021-06 |  是 |  是 |  是 |  是 |
| ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 |  是 |  是 |  是 |  是 |
| ELBSecurityPolicy-TLS-1-2-Ext-2018-06 |  否 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS-1-2-2017-01 |  否 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS-1-1-2017-01 |  否 |  是 |  是 |  否 |
| ELBSecurityPolicy-2016-08 |  否 |  是 |  是 |  是 |
| ELBSecurityPolicy-2015-05 |  否 |  是 |  是 |  是 |
### 政策的 Ciphers
下表說明每個 TLS 安全政策支援的加密。
| 安全政策 | 加密方式 |
| --- | --- |
| ELBSecurityPolicy-TLS13-1-3-2021-06
ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-2021-06
ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Res-2021-06
ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06
ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06
ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-1-2021-06 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-0-2021-06
ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS-1-2-Ext-2018-06 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS-1-2-2017-01 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS-1-1-2017-01 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-2016-08 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-2015-05 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
### 依密碼排列的政策
下表說明支援每個密碼的 TLS 安全政策。
| 密碼名稱 | 安全政策 | 密碼套件 |
| --- | --- | --- |
| **OpenSSL** – TLS\_AES\_128\_GCM\_SHA256
**IANA** – TLS\_AES\_128\_GCM\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1301 |
| **OpenSSL** – TLS\_AES\_256\_GCM\_SHA384
**IANA** – TLS\_AES\_256\_GCM\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1302 |
| **OpenSSL** – TLS\_CHACHA20\_POLY1305\_SHA256
**IANA** – TLS\_CHA20\_POLY1305\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1303 |
| **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02b |
| **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02f |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA256
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c023 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA256
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c027 |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c009 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c013 |
| **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02c |
| **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c030 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA384
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c024 |
| **OpenSSL** – ECDHE-RSA-AES256-SHA384
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c028 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c00a |
| **OpenSSL** – ECDHE-RSA-AES256-SHA
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c014 |
| **OpenSSL** – AES128-GCM-SHA256
**IANA** – TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9c |
| **OpenSSL** – AES128-SHA256
**IANA** – TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3c |
| **OpenSSL** – AES128-SHA
**IANA** – TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 2f |
| **OpenSSL** – AES256-GCM-SHA384
**IANA** – TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9d |
| **OpenSSL** – AES256-SHA256
**IANA** – TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3d |
| **OpenSSL** – AES256-SHA
**IANA** – TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 35 |
## FIPS 安全政策
聯邦資訊處理標準 (FIPS) 是美國和加拿大政府標準,指定保護敏感資訊之密碼編譯模組的安全要求。若要進一步了解,請參閱*AWS 雲端安全合規*頁面上的[聯邦資訊處理標準 (FIPS) 140](https://aws.amazon.com/compliance/fips/)。
所有 FIPS 政策都會利用 AWS-LC FIPS 驗證的密碼編譯模組。若要進一步了解,請參閱 NIST [ 密碼編譯模組驗證計劃網站上的 AWS-LC](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) 密碼編譯模組頁面。 **
**重要**
政策和 `ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04` `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04` 僅供舊版相容性使用。雖然他們使用 FIPS140 模組來使用 FIPS 密碼編譯,但可能不符合 TLS 組態的最新 NIST 指引。
**Topics**
+ [依政策的通訊協定](#fips-protocols)
+ [依政策的 Ciphers](#fips-policy-ciphers)
+ [依密碼排列的政策](#fips-cipher-policies)
### 依政策的通訊協定
下表說明每個 FIPS 安全政策支援的通訊協定。
| 安全政策 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
| --- | --- | --- | --- | --- |
| ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 |  是 |  否 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 |  是 |  否 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 |  是 |  是 |  否 |  否 |
| ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 |  是 |  是 |  是 |  否 |
| ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 |  是 |  是 |  是 |  是 |
| ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 |  是 |  是 |  是 |  是 |
### 依政策的 Ciphers
下表說明每個 FIPS 安全政策支援的加密。
| 安全政策 | 加密方式 |
| --- | --- |
| ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04
ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04
ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04
ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04
ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04
ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04
ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04
ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
### 依密碼排列的政策
下表說明支援每個密碼的 FIPS 安全政策。
| 密碼名稱 | 安全政策 | 密碼套件 |
| --- | --- | --- |
| **OpenSSL** – TLS\_AES\_128\_GCM\_SHA256
**IANA** – TLS\_AES\_128\_GCM\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1301 |
| **OpenSSL** – TLS\_AES\_256\_GCM\_SHA384
**IANA** – TLS\_AES\_256\_GCM\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1302 |
| **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02b |
| **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02f |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA256
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c023 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA256
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c027 |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c009 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c013 |
| **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02c |
| **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c030 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA384
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c024 |
| **OpenSSL** – ECDHE-RSA-AES256-SHA384
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c028 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c00a |
| **OpenSSL** – ECDHE-RSA-AES256-SHA
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c014 |
| **OpenSSL** – AES128-GCM-SHA256
**IANA** – TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9c |
| **OpenSSL** – AES128-SHA256
**IANA** – TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3c |
| **OpenSSL** – AES128-SHA
**IANA** – TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 2f |
| **OpenSSL** – AES256-GCM-SHA384
**IANA** – TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9d |
| **OpenSSL** – AES256-SHA256
**IANA** – TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3d |
| **OpenSSL** – AES256-SHA
**IANA** – TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 35 |
## FS 支援的安全政策
FS (Forward Secrecy) 支援的安全政策透過使用唯一的隨機工作階段金鑰,提供額外的保護,防止加密資料的竊聽。這可防止對擷取的資料進行解碼,即使秘密長期金鑰遭到入侵也一樣。
本節中的政策支援 FS,且「FS」包含在其名稱中。不過,這些不是支援 FS 的唯一政策。僅支援 TLS 1.3 的政策支援 FS。支援僅具有 TLS\_\* 和 ECDHE\_\* 格式密碼的 TLS 1.3 和 TLS 1.2 的政策也提供 FS。
**Topics**
+ [依政策的通訊協定](#fs-protocols)
+ [政策的 Ciphers](#fs-policy-ciphers)
+ [依密碼排列的政策](#fs-cipher-policies)
### 依政策的通訊協定
下表說明每個 FS 支援的安全政策支援的通訊協定。
| 安全政策 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
| --- | --- | --- | --- | --- |
| ELBSecurityPolicy-FS-1-2-Res-2020-10 |  否 |  是 |  否 |  否 |
| ELBSecurityPolicy-FS-1-2-Res-2019-08 |  否 |  是 |  否 |  否 |
| ELBSecurityPolicy-FS-1-2-2019-08 |  否 |  是 |  否 |  否 |
| ELBSecurityPolicy-FS-1-1-2019-08 |  否 |  是 |  是 |  否 |
| ELBSecurityPolicy-FS-2018-06 |  否 |  是 |  是 |  是 |
### 政策的 Ciphers
下表說明每個 FS 支援的安全政策支援的密碼。
| 安全政策 | 加密方式 |
| --- | --- |
| ELBSecurityPolicy-FS-1-2-Res-2020-10 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-FS-1-2-Res-2019-08 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-FS-1-2-2019-08 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-FS-1-1-2019-08 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-FS-2018-06 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
### 依密碼排列的政策
下表說明支援每個密碼的 FS 支援安全政策。
| 密碼名稱 | 安全政策 | 密碼套件 |
| --- | --- | --- |
| **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02b |
| **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02f |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA256
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c023 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA256
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c027 |
| **OpenSSL** – ECDHE-ECDSA-AES128-SHA
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c009 |
| **OpenSSL** – ECDHE-RSA-AES128-SHA
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c013 |
| **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02c |
| **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c030 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA384
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c024 |
| **OpenSSL** – ECDHE-RSA-AES256-SHA384
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c028 |
| **OpenSSL** – ECDHE-ECDSA-AES256-SHA
**IANA** – TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c00a |
| **OpenSSL** – ECDHE-RSA-AES256-SHA
**IANA** – TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c014 |