Ensure that your Amazon Network Load Balancers (NLBs) are configured to terminate TLS traffic in order to optimize the performance of the backend servers while encrypting the communication between the load balancer and the associated targets (i.e. servers).
With Transport Layer Security (TLS) termination enabled, you can offload the encryption and decryption of TLS traffic from your backend application servers to your AWS Network Load Balancer, enhancing your backend servers performance while keeping the workload secure. Also, by using built-in security policies with optimal TLS versions and ciphers, the application or service behind your Network Load Balancer can achieve PCI and FedRAMP compliance.
To determine if your AWS Network Load Balancers (NLBs) are using TLS termination, perform the following actions:
To enable Transport Layer Security (TLS) termination for your AWS Network Load Balancers, update their listeners configuration to support the TLS protocol (an X.509 SSL certificate is required). To add a TLS listener to your Amazon NLB, perform the following actions: