Skip to content

Commit 2b45e16

Browse files
committed
feat(elasticloadbalancingv2): add post-quantum TLS security policy
- Add new `RECOMMENDED_TLS_PQ` enum value for post-quantum TLS policy - Set policy to `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09` with ML-KEM hybrid key exchange - Update `getRecommendedTlsPolicy()` to return `RECOMMENDED_TLS_PQ` instead of `TLS13_12_RES_PQ` - Add comprehensive JSDoc comments explaining post-quantum cryptography support - Provides AWS-recommended security policy for quantum-resistant TLS connections
1 parent 50266ce commit 2b45e16

File tree

1 file changed

+10
-1
lines changed
  • packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared

1 file changed

+10
-1
lines changed

packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/enums.ts

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,15 @@ export enum SslPolicy {
117117
*/
118118
RECOMMENDED_TLS = 'ELBSecurityPolicy-TLS13-1-2-2021-06',
119119

120+
/**
121+
* The recommended post-quantum security policy for TLS listeners.
122+
*
123+
* This policy includes TLS 1.3 and 1.2 with post-quantum hybrid key exchange using ML-KEM.
124+
* Restricted cipher suite for enhanced security with quantum resistance.
125+
* AWS recommended policy for post-quantum cryptography.
126+
*/
127+
RECOMMENDED_TLS_PQ = 'ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09',
128+
120129
/**
121130
* The recommended policy for http listeners.
122131
* This is the default security policy for listeners created using the AWS CLI
@@ -443,7 +452,7 @@ export enum DesyncMitigationMode {
443452
*/
444453
export function getRecommendedTlsPolicy(scope: Construct): string {
445454
if (FeatureFlags.of(scope).isEnabled(cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY)) {
446-
return SslPolicy.TLS13_12_RES_PQ;
455+
return SslPolicy.RECOMMENDED_TLS_PQ;
447456
}
448457
return SslPolicy.RECOMMENDED_TLS;
449458
}

0 commit comments

Comments
 (0)