Skip to content

chore(elbv2): add post-quantum cryptography SSL policies #36297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pahud wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(elbv2): add post-quantum cryptography SSL policies #36297

pahud wants to merge 1 commit into from
+94 −0

Conversation

@pahud
Copy link
Contributor

@pahud pahud commented Dec 4, 2025
edited
Loading

Issue # (if applicable)

Closes #36283.

Reason for this change

AWS announced support for post-quantum (PQ) security policies for Application Load Balancers and Network Load Balancers on November 21, 2025. These policies use hybrid post-quantum key exchange with ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) to protect against "Harvest Now, Decrypt Later" attacks. The CDK's SslPolicy enum currently lacks these new policies, forcing users to use string literals and losing type safety.

Description of changes

Added 14 new post-quantum security policy enum values to the SslPolicy enum in packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/enums.ts:

Standard TLS Policies with PQ:

  • TLS13_13_PQ - TLS 1.3 only with post-quantum hybrid key exchange
  • TLS13_12_PQ - TLS 1.2 and 1.3 with post-quantum hybrid key exchange
  • TLS13_12_RES_PQ - TLS 1.2 and 1.3 restricted cipher suite with PQ (AWS recommended)
  • TLS13_12_EXT1_PQ - TLS 1.2 and 1.3 extended cipher suite 1 with PQ
  • TLS13_12_EXT2_PQ - TLS 1.2 and 1.3 extended cipher suite 2 with PQ
  • TLS13_10_PQ - TLS 1.0 through 1.3 with post-quantum hybrid key exchange

FIPS-Compliant Policies with PQ:

  • FIPS_TLS13_13_PQ - TLS 1.3 only FIPS-compliant with PQ
  • FIPS_TLS13_12_PQ - TLS 1.2 and 1.3 FIPS-compliant with PQ
  • FIPS_TLS13_12_RES_PQ - TLS 1.2 and 1.3 restricted FIPS-compliant with PQ (AWS recommended for FIPS)
  • FIPS_TLS13_12_EXT0_PQ - TLS 1.2 and 1.3 extended cipher suite 0 FIPS-compliant with PQ
  • FIPS_TLS13_12_EXT1_PQ - TLS 1.2 and 1.3 extended cipher suite 1 FIPS-compliant with PQ
  • FIPS_TLS13_12_EXT2_PQ - TLS 1.2 and 1.3 extended cipher suite 2 FIPS-compliant with PQ
  • FIPS_TLS13_11_PQ - TLS 1.1 through 1.3 FIPS-compliant with PQ
  • FIPS_TLS13_10_PQ - TLS 1.0 through 1.3 FIPS-compliant with PQ

All enum values map to their corresponding AWS policy names (e.g., ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09) and include JSDoc comments describing their purpose and quantum resistance capabilities.

This is a purely additive change with no breaking changes. All existing enum values remain unchanged.

Description of changes to permissions

N/A - This change only adds enum values and does not modify IAM permissions or resource access patterns.

Description of how you validated changes

  • Unit tests: Verified enum values compile correctly and match AWS policy naming conventions
  • Integration tests: Confirmed enum values can be used in load balancer listener configurations
  • AWS CLI validation: Used aws elbv2 describe-ssl-policies to verify post-quantum policy names exist in AWS

Official AWS Documentation Proof:

All 14 policy names are documented in the official AWS ELB documentation:

The documentation explicitly lists all PQ policies in the "Protocols by policy" and "Ciphers by policy" tables, including:

  • Standard TLS policies: ELBSecurityPolicy-TLS13-1-3-PQ-2025-09, ELBSecurityPolicy-TLS13-1-2-PQ-2025-09, ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09, ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09, ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09, ELBSecurityPolicy-TLS13-1-0-PQ-2025-09
  • FIPS policies: ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09, ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09, ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09, ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09, ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09, ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09, ELBSecurityPolicy-TLS13-1-1-FIPS-PQ-2025-09, ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

AWS documentation states: "Security policies with PQ in their names offer hybrid post-quantum key exchange. For compatibility, they support both classical and post-quantum ML-KEM key exchange algorithms."

Live AWS API Validation:

Validation script (poc.sh) confirmed 13 of 14 policies are currently available via the AWS API:

✓ ELBSecurityPolicy-TLS13-1-3-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-2-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-0-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09
✓ ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

Note: ELBSecurityPolicy-TLS13-1-1-FIPS-PQ-2025-09 is documented but not yet available in the live AWS API (may be rolling out or region-specific). All enum values match the official AWS documentation.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@pahud
feat(elasticloadbalancingv2): add post-quantum cryptography SSL policies
db5650d 
- Add 6 new post-quantum hybrid key exchange SSL policies using ML-KEM
* TLS13_13_PQ: TLS 1.3 only with quantum resistance
* TLS13_12_PQ: TLS 1.2 and 1.3 with quantum resistance
* TLS13_12_RES_PQ: Restricted cipher suite with quantum resistance
* TLS13_12_EXT1_PQ: Extended cipher suite 1 with quantum resistance
* TLS13_12_EXT2_PQ: Extended cipher suite 2 with quantum resistance
* TLS13_10_PQ: TLS 1.0 through 1.3 with quantum resistance
- Add 8 new FIPS-compliant post-quantum cryptography SSL policies
* FIPS_TLS13_13_PQ: FIPS TLS 1.3 only with quantum resistance
* FIPS_TLS13_12_PQ: FIPS TLS 1.2 and 1.3 with quantum resistance
* FIPS_TLS13_12_RES_PQ: FIPS restricted cipher suite with quantum resistance
* FIPS_TLS13_12_EXT0_PQ: FIPS extended cipher suite 0 with quantum resistance
* FIPS_TLS13_12_EXT1_PQ: FIPS extended cipher suite 1 with quantum resistance
* FIPS_TLS13_12_EXT2_PQ: FIPS extended cipher suite 2 with quantum resistance
* FIPS_TLS13_11_PQ: FIPS TLS 1.1 through 1.3 with quantum resistance
* FIPS_TLS13_10_PQ: FIPS TLS 1.0 through 1.3 with quantum resistance
- Support AWS recommended post-quantum cryptography policies for enhanced security
@aws-cdk-automation aws-cdk-automation requested a review from a team December 4, 2025 18:11
@github-actions github-actions bot added feature-request A feature should be added or improved. p2 labels Dec 4, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Dec 4, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Dec 4, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@pahud pahud changed the title feat(elbv2): add post-quantum cryptography SSL policies chore(elbv2): add post-quantum cryptography SSL policies Dec 4, 2025
@pahud pahud marked this pull request as ready for review December 4, 2025 18:16
@aws-cdk-automation aws-cdk-automation dismissed their stale review December 4, 2025 18:16

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Dec 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. feature-request A feature should be added or improved. p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(aws-elasticloadbalancingv2): Please add post-quantum security policies

2 participants

@pahud @aws-cdk-automation