AWS ELB Security: Load Balancer Hardening and SSL Policies

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Elastic Load Balancing covers three types: Application Load Balancers (ALB), Network Load Balancers (NLB), and the legacy Classic Load Balancer (CLB). Each has different security characteristics. If you are still running Classic Load Balancers, the first security improvement is migrating to ALB or NLB. CLBs lack features like SNI, HTTP/2, and modern TLS policy support.

SSL/TLS Policy Selection

Every load balancer type supports TLS termination, but the security policy you choose determines which protocol versions and cipher suites are negotiated.

For ALBs, use ELBSecurityPolicy-TLS13-1-2-2021-06 or newer. This enforces TLS 1.2 and 1.3 only, with forward secrecy cipher suites. Older policies allowing TLS 1.0 should only be used for legacy clients you are actively migrating.

For NLBs with TLS listeners, the same policies apply. NLBs also support TCP passthrough for scenarios like mutual TLS (mTLS) where the backend verifies client certificates.

Audit your SSL policies regularly. Run an SSL Labs test against your endpoints. An A+ rating requires HSTS headers, strong cipher suites, and no protocol downgrade paths.

Cross-Zone Load Balancing

Cross-zone load balancing distributes traffic evenly across targets in all enabled Availability Zones. ALBs have this enabled by default. NLBs do not — enable it explicitly unless you have a specific reason for zone-isolated traffic patterns.

From a security perspective, cross-zone balancing affects how you handle AZ failures. If disabled, an AZ failure can overload targets in remaining zones, potentially creating availability issues that affect your security monitoring and response capabilities.

Connection Security

Configure idle timeout values based on your application’s requirements. The default is 60 seconds for ALBs. Too long keeps connections open unnecessarily; too short drops legitimate long-polling connections.

Enable HTTP desync mitigation mode on ALBs. Set the mode to strictest if your application works with it, or defensive as a minimum. Never use monitor in production — it logs desync issues but does not block them.

Enable drop invalid header fields on ALBs to discard requests with header names that contain invalid characters. This prevents header injection attacks that exploit non-standard characters.

Network Load Balancer Specifics

NLBs operate at Layer 4 and preserve the client’s source IP address by default. This is important for security logging — your backend sees the real client IP without needing X-Forwarded-For headers.

NLBs support security groups (added in 2023). Enable them to control which source IPs and ports can reach your load balancer. Before security group support, you had to rely entirely on target-level security groups and NACLs for network access control.

For private NLBs used as AWS PrivateLink endpoints, apply security groups that restrict access to authorized consumer VPCs only.

Monitoring and Logging

Enable access logging on all load balancers. For ALBs, logs go to S3 and include full request details. For NLBs, enable flow logs through VPC Flow Logs since NLBs do not have their own access log feature for TCP listeners.

Monitor CloudWatch metrics: UnHealthyHostCount (targets failing health checks might be compromised), HTTP_5XX_Count (spikes could indicate attack or compromise), and RejectedConnectionCount on NLBs.

Next Steps

• Assess your infrastructure security skills with the assessment tool
• Explore network and web security topics in the skills library
• Check cloud security compensation with the salary calculator

Related Guides in This Series

• Active Directory Security: Attack Paths and Hardening — HADESS | 2026
• AWS ALB Security: TLS, Authentication, and Access Controls — HADESS | 2026
• AWS CloudTrail: Log Analysis and Security Monitoring — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.