feat(elasticloadbalancingv2): add post-quantum TLS security policy

pahud · pahud · commit 2b45e1606c57 · 2025-12-12T12:48:52.000-05:00
- Add new `RECOMMENDED_TLS_PQ` enum value for post-quantum TLS policy
- Set policy to `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09` with ML-KEM hybrid key exchange
- Update `getRecommendedTlsPolicy()` to return `RECOMMENDED_TLS_PQ` instead of `TLS13_12_RES_PQ`
- Add comprehensive JSDoc comments explaining post-quantum cryptography support
- Provides AWS-recommended security policy for quantum-resistant TLS connections
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/enums.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/enums.ts
@@ -117,6 +117,15 @@ export enum SslPolicy {
    */
   RECOMMENDED_TLS = 'ELBSecurityPolicy-TLS13-1-2-2021-06',
 
+  /**
+   * The recommended post-quantum security policy for TLS listeners.
+   * 
+   * This policy includes TLS 1.3 and 1.2 with post-quantum hybrid key exchange using ML-KEM.
+   * Restricted cipher suite for enhanced security with quantum resistance.
+   * AWS recommended policy for post-quantum cryptography.
+   */
+  RECOMMENDED_TLS_PQ = 'ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09',
+
   /**
    * The recommended policy for http listeners.
    * This is the default security policy for listeners created using the AWS CLI
@@ -443,7 +452,7 @@ export enum DesyncMitigationMode {
  */
 export function getRecommendedTlsPolicy(scope: Construct): string {
   if (FeatureFlags.of(scope).isEnabled(cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY)) {
-    return SslPolicy.TLS13_12_RES_PQ;
+    return SslPolicy.RECOMMENDED_TLS_PQ;
   }
   return SslPolicy.RECOMMENDED_TLS;
 }
