AWS ALB Security: TLS, Authentication, and Access Controls
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
Application Load Balancers handle TLS termination, route traffic to your applications, and can even authenticate users before requests reach your backend. A properly configured ALB reduces the attack surface of your application layer significantly. A poorly configured one exposes you to downgrade attacks, credential theft, and unauthorized access.
TLS Termination
ALB terminates TLS connections and forwards traffic to your targets. Choose your security policy carefully. The ELBSecurityPolicy-TLS13-1-2-2021-06 policy enforces TLS 1.3 and 1.2 with strong cipher suites. Avoid any policy that allows TLS 1.0 or 1.1 — these have known vulnerabilities and modern browsers do not need them.
Use ACM (AWS Certificate Manager) for your TLS certificates. ACM handles renewal automatically, so you never have an expired certificate causing an outage or forcing a fallback to HTTP. For domains managed outside Route 53, use DNS validation so renewal works without manual intervention.
If your targets support it, configure end-to-end encryption by enabling HTTPS on the target group as well. This means traffic is encrypted from the client to the ALB and from the ALB to your application. Use this when your compliance requirements mandate encryption in transit within the VPC.
ALB Authentication
ALB has built-in support for OpenID Connect (OIDC) and Amazon Cognito authentication. Configure an authentication action on your listener rules to require users to authenticate before their request reaches your application.
This offloads authentication from your application. The ALB handles the OIDC flow, validates tokens, and forwards authenticated requests with user claims in HTTP headers.
Set on-unauthenticated-request to authenticate for endpoints requiring login and allow for public endpoints. The authentication session is stored in an ALB-managed cookie. The default timeout is 7 days, which is too long for most applications — shorten it.
WAF Integration
Associate a WAF web ACL with your ALB to inspect and filter HTTP requests before they reach your application. The ALB forwards the request to WAF for evaluation, and WAF returns an allow or block decision.
WAF on ALB gives you protection against SQL injection, XSS, and other OWASP Top 10 attacks at the edge, before your application processes the request. Combine with rate-limiting rules to prevent abuse of your endpoints.
Access Logs
Enable ALB access logs and send them to an S3 bucket. Access logs capture the client IP, request URL, response code, target processing time, and TLS cipher used. These logs are essential for incident investigation and for identifying scanning or brute-force activity.
Access logs include ssl_cipher and ssl_protocol fields for auditing what TLS versions clients actually use. Set up S3 lifecycle policies to transition logs to Glacier after 90 days. Encrypt the bucket with a KMS key and block public access.
Security Group Configuration
The ALB security group should allow inbound HTTPS (443) from the internet or your CDN and nothing else. Do not open port 80 unless you have a redirect rule sending HTTP to HTTPS. Your target security groups should only allow traffic from the ALB security group, not from the internet directly.
Next Steps
- Test your knowledge of web infrastructure security with the assessment tool
- Browse load balancing and TLS topics in the skills library
- Review relevant certifications on the certificate roadmap
Related Guides in This Series
- Active Directory Security: Attack Paths and Hardening — HADESS | 2026
- AWS CloudTrail: Log Analysis and Security Monitoring
- AWS CloudWatch for Security: Metrics, Alarms, and Log Analysis
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
—
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
