--- title: Load Balancers should use the latest security policy description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Load Balancers should use the latest security policy --- # Load Balancers should use the latest security policy ## Description{% #description %} Secure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy. This check applies only when a TLS listener is configured; HTTP-only listeners are skipped. It passes only for the 2025-09 post-quantum (PQ) policies: - `ELBSecurityPolicy-TLS13-1-2-PQ-2025-09` - `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09` - `ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09` - `ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09` - `ELBSecurityPolicy-TLS13-1-3-PQ-2025-09` - `ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09` - `ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09` - `ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09` - `ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09` - `ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09` - `ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09` ## Remediation{% #remediation %} ### From the console{% #from-the-console %} Follow the [Update security policy](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy) docs to learn how to update your HTTPS listener with the latest security policy. ### From the command line{% #from-the-command-line %} Run `modify-listener` with the [ARN of the listener and the recommended SSL policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html). ```gdscript3 aws elbv2 create-listener --load-balancer-arn \ --ssl-policy --default-actions ``` Review the [Security policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) docs for Amazon-recommended security policies.