feat(aws): add elbv2_listener_pqc_tls_enabled security check

[HugoPBrito]

Context

"Harvest now, decrypt later" attacks capture TLS-encrypted traffic today with the intent to decrypt it once a cryptographically relevant quantum computer becomes available. Without post-quantum (PQ) TLS policies on ELBv2 listeners, sensitive data, credentials, and session tokens passing through load balancers are vulnerable to this forward-looking threat. AWS has published the ELBSecurityPolicy-TLS13-*-PQ-2025-09 policy family that adds hybrid key exchange (ML-KEM 768 + classical ECDHE), but the existing Prowler check elbv2_insecure_ssl_ciphers folds PQ policies into its generic "secure" allowlist without surfacing PQ readiness as a distinct signal.

Description

This check evaluates every ELBv2 HTTPS (ALB) or TLS (NLB) listener's SslPolicy against a configurable allowlist of post-quantum TLS policies. A load balancer passes when all its HTTPS/TLS listeners use a PQ policy from the approved set, and fails when any listener uses a policy outside that set — including modern but classical-only policies like ELBSecurityPolicy-TLS13-1-2-2021-06. HTTP listeners and non-TLS NLB listeners are skipped (no TLS termination). The PQ allowlist is configurable via elbv2_listener_pqc_tls_allowed_policies in aws_audit_config to accommodate future AWS policy releases. Remediation is to switch affected listeners to ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 or another approved PQ policy.

Steps to review

1. Review the check implementation at prowler/providers/aws/services/elbv2/elbv2_listener_pqc_tls_enabled/
2. Review the metadata file for correct severity, remediation, and compliance mappings
3. Review compliance framework mappings in prowler/compliance/aws/ to ensure the check is correctly mapped to relevant requirements
4. Run the check tests: poetry run pytest tests/providers/aws/services/elbv2/elbv2_listener_pqc_tls_enabled/ -v
5. Run the check against a real environment (if possible):

   prowler aws --check elbv2_listener_pqc_tls_enabled

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Please review this carefully.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
prowler	🟢 Ready	View Preview	May 20, 2026, 11:49 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• elbv2_listener_pqc_tls_enabled (aws): aws_well_architected_framework_security_pillar_aws, ccc_aws, csa_ccm_4.0_aws, ens_rd2022_aws, fedramp_moderate_revision_4_aws, ffiec_aws, gxp_21_cfr_part_11_aws, iso27001_2013_aws, kisa_isms_p_2023_aws, kisa_isms_p_2023_korean_aws, nist_800_171_revision_2_aws, nist_800_53_revision_5_aws, rbi_cyber_security_framework_aws, secnumcloud_3.2_aws

Use the no-compliance-check label to skip this check.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 6.98%. Comparing base (6eebfcf) to head (6baf663).
⚠️ Report is 6 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (6eebfcf) and HEAD (6baf663). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (6eebfcf)	HEAD (6baf663)
api	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #11254       +/-   ##
===========================================
- Coverage   93.97%    6.98%   -86.99%     
===========================================
  Files         237      857      +620     
  Lines       34829    25086     -9743     
===========================================
- Hits        32729     1752    -30977     
- Misses       2100    23334    +21234     

Flag	Coverage Δ
api	?
prowler-py3.10-aws	6.52% <100.00%> (?)
prowler-py3.10-config	6.98% <100.00%> (?)
prowler-py3.11-aws	6.52% <100.00%> (?)
prowler-py3.11-config	6.97% <100.00%> (?)
prowler-py3.12-aws	6.52% <100.00%> (?)
prowler-py3.12-config	6.97% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	6.98% <100.00%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:c7c4aa9
Last scan: 2026-05-20 11:53:12 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	6
Total	6

5 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy