(aws-elasticloadbalancingv2): Please add post-quantum security policies

[michael-k]

Describe the feature

Add post-quantum security policies available for Network Load Balancer (NLB) and/or Application Load Balancer (ALB), eg. ELBSecurityPolicy-TLS13-1-3-PQ-2025-09.

Announcement: https://aws.amazon.com/about-aws/whats-new/2025/11/network-load-balancers-post-quantum-key-exchange-tls/

Use Case

“I'm always frustrated when…” I cannot use the best security available. I'd love to be able to use ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 and other PQ policies.

Proposed Solution

Add PQ security policies to enum SslPolicy.

Other Information

Adding a custom NetworkListener to our code seems a bit much and others won't be able to benefit from PQ security policies.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

ws-cdk-lib@2.231.0

AWS CDK CLI version

2.1033.0 (build 1ec3310)

Environment details (OS name and version, etc.)

Linux :) (but it doesn't really matter)

[pahud]

Hi @michael-k,

Thank you for bringing this to our attention! The post-quantum security policies were recently announced by AWS (November 21, 2025), and you're right that they should be added to the SslPolicy enum in the CDK.

This appears to be a straightforward enhancement that would add the new PQ security policy values to the existing enum. The change would be non-breaking since it's purely additive.

As a temporary workaround, you can use the policy string directly where the sslPolicy property accepts a string value, though this loses the type-safety benefits of the enum.

I'll submit an immediate PR for this.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.