Load Balancers should use the latest security policy

Description

Secure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy. This check applies only when a TLS listener is configured; HTTP-only listeners are skipped. It passes only for the 2025-09 post-quantum (PQ) policies:

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09
  • ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09
  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09
  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09
  • ELBSecurityPolicy-TLS13-1-3-PQ-2025-09
  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09
  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09
  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09
  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09
  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09
  • ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09

Remediation

From the console

Follow the Update security policy docs to learn how to update your HTTPS listener with the latest security policy.

From the command line

Run modify-listener with the ARN of the listener and the recommended SSL policy.

aws elbv2 create-listener
    --load-balancer-arn <insert-lb-arn> \
    --ssl-policy <insert-policy-name> --default-actions <insert-actions>

Review the Security policies docs for Amazon-recommended security policies.