Ensure to update the Security Policy of the Network Load Balancer

Elastic Load Balancing uses a TLS negotiation configuration, known as a security policy, to negotiate TLS connections between a client and the load balancer. The ELBSecurityPolicy-2016-08 security policy is always used for backend connections. Network Load Balancers do not support custom security policies. When you create a TLS listener, you can select the security policy that meets your needs. When a new security policy is added, you can update your TLS listener to use the new security policy.

Risk Level: High
Cloud Entity: Network Load Balancer
CloudGuard Rule ID: D9.AWS.CRY.38
Covered by Spectral: Yes
Category: Networking & Content Delivery


NetworkLoadBalancer should have listeners contain [securityPolicy in('ELBSecurityPolicy-2016-08', 'ELBSecurityPolicy-FS-2018-06', 'ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06', 'ELBSecurityPolicy-TLS13-1-2-2021-06') ]


From Portal

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
  2. On the navigation pane, under LOAD BALANCING, choose Load Balancers
  3. Select the load balancer and go to 'Listeners'.
  4. Select the check box for the TLS listener and choose Actions and 'Edit listener'.
  5. Go to 'Security policy' under 'Secure listener settings'.
  6. Choose a recommended security policy from the dropdown list.
  7. Click on 'Save changes'.

From TF

resource "aws_lb_listener" "test" {
	load_balancer_arn = aws_lb.test.arn
	port              = "443"
	protocol          = "[HTTPS, TLS]"
	+ ssl_policy        = "..." #  Secure policies: "ELBSecurityPolicy-2016-08", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06", "ELBSecurityPolicy-TLS13-1-2-2021-06"
	certificate_arn   = "Certificate_ARN"
default_action {...}

From Command Line

aws elbv2 modify-listener --listener-arn ARN_VALUE --ssl-policy RECOMMENDED_POLICY_NAME


  1. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html
  2. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html

Network Load Balancer

A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset