Security policies overview Supported security policies and protocols Complete the prerequisites Configure a security policy using the Lightsail console Configure a security policy using the AWS CLI

Configure TLS security policies on your Amazon Lightsail load balancer

After you enable HTTPS on your Amazon Lightsail load balancer, you can configure a TLS security policy for the encrypted connections. This guide provides information about the security policies that you can configure on Lightsail load balancers, and the procedures for updating your load balancer's security policy. For more information about load balancers, see Load balancers.

Security policies overview

Lightsail load balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection. Lightsail load balancers do not support SSL renegotiation for client or target connections.

The TLS-2016-08 security policy is configured by default when you enable HTTPS on a Lightsail load balancer. You can configure a different security policy as needed, as described later in this guide. You can choose the security policy that is used for only for front-end connections. The TLS-2016-08 security policy is always used for backend connections. Lightsail load balancers do not support custom security policies.

Supported security policies and protocols

Lightsail load balancers can be configured with the following security policies and protocols:

Complete the prerequisites

Complete the following prerequisites if you haven't already:

Create a load balancer and attach instances to it. For more information, see Create a load balancer and attach instances to it.
Create an SSL/TLS certificate and attach it to your load balancer to enable HTTPS. For more information, see Create an SSL/TLS certificate for your Lightsail load balancer. For more information about certificates, see SSL/TLS certificates.

Configure a security policy using the Lightsail console

Complete the following procedure to configure a security policy using the Lightsail console.

Sign in to the Lightsail console.
On the Lightsail home page, choose the Networking tab.
Choose the name of the load balancer for which you want to configure a TLS security policy.
Choose the Inbound traffic tab.
Choose Change protocols under the TLS security protocols section of the page.
Select one of the following options in the Supported protocols dropdown menu:
- TLS version 1.2 — This option is the most secure but older browsers might be unable to connect.
- TLS version 1.0, 1.1, and 1.2 — This option offers the most compatibility with browsers.
Choose Save to apply the selected protocol to your load balancer.

Your change takes a few moments to become effective.

Configure a security policy using the AWS CLI

Complete the following procedure to configure a security policy using the AWS Command Line Interface (AWS CLI). You do this by using the update-load-balancer-attribute command. For more information, see update-load-balancer-attribute in the AWS CLI Command Reference.

Note

You must install the AWS CLI and configure it for Lightsail before continuing with this procedure. For more information, see Configure the AWS CLI to work with Lightsail.

Open a Command Prompt or Terminal window.
Enter the following command to change the TLS security policy for your load balancer.
```
aws lightsail update-load-balancer-attribute --load-balancer-name LoadBalancerName --attribute-name TlsPolicyName --attribute-value AttributeValue
```
In the command, replace the following example text with your own:
- LoadBalancerName with the name of the load balancer for which you want to change the TLS security policy.
- AttributeValue with the TLS-2016-08 or TLS-FS-1-2-Res-2019-08 security policy.
  
  Note
  The TlsPolicyName attribute in the command specifies that you wish to edit the TLS security policy that is configured on the load balancer.
Example:
```
aws lightsail update-load-balancer-attribute --load-balancer-name MyLoadBalancer --attribute-name TlsPolicyName --attribute-value TLS-2016-08
```
Your change takes a few moments to become effective.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Instance load balancing

HTTP to HTTPS redirect