Posted On: Nov 16, 2023

You can now use Elastic Load Balancing (ELB) service-specific condition keys in IAM policies to restrict configurations for Transport Layer Security (TLS) Policy and IP based access. This enhancement enforces users in your account follow standards you have put in place for load balancer configurations.

For TLS, you can restrict users to only use listeners supporting encryption with the elasticloadbalancing:ListenerProtocol condition key (e.g. use HTTPS/TLS only) and permit the use of desired TLS security policies only using elasticloadbalancing:SecurityPolicy condition key (e.g. TLS1.3 security policies only). These controls can ensure that your users comply with your organization’s requirements for encryption.

For IP based access controls, you can use elasticloadbalancing:Scheme or elasticloadbalancing:Subnet condition keys that only allow users to create internal load balancers, which will not be accessible from the internet. If you need additional flexibility, you can enable finer grained controls by configuring elasticloadbalancing:SecurityGroup condition key to restrict users to only use approved security groups that allow known IPs only.

All five condition keys are available for Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer (CLB). Gateway Load Balancer (GWLB) supports the condition key that enforces subnets only.

The set of IAM condition keys are available in Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD at no additional charge.