prowler-cloud · HugoPBrito · May 20, 2026 · May 20, 2026
@@ -438,6 +438,21 @@ mainConfig:
     # Minimum number of Availability Zones that an ELBv2 must be in
     elbv2_min_azs: 2
 
+    # aws.elbv2_listener_pqc_tls_enabled
+    # Allowed post-quantum TLS security policies for ELBv2 HTTPS/TLS listeners
+    elbv2_listener_pqc_tls_allowed_policies:
+      - "ELBSecurityPolicy-TLS13-1-2-PQ-2025-09"
+      - "ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09"
+      - "ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09"
+      - "ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09"
+      - "ELBSecurityPolicy-TLS13-1-3-PQ-2025-09"
+      - "ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09"
+      - "ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09"
+      - "ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09"
+      - "ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09"
+      - "ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09"
+      - "ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09"
+
 
     # AWS Secrets Configuration
     # Patterns to ignore in the secrets checks

@@ -55,6 +55,7 @@ The following list includes all the AWS checks with configurable variables that
 | `elasticache_redis_cluster_backup_enabled`                    | `minimum_snapshot_retention_period`              | Integer         |
 | `elb_is_in_multiple_az`                                       | `elb_min_azs`                                    | Integer         |
 | `elbv2_is_in_multiple_az`                                     | `elbv2_min_azs`                                  | Integer         |
+| `elbv2_listener_pqc_tls_enabled`                              | `elbv2_listener_pqc_tls_allowed_policies`        | List of Strings |
 | `guardduty_is_enabled`                                        | `mute_non_default_regions`                       | Boolean         |
 | `iam_user_access_not_stale_to_sagemaker`                      | `max_unused_sagemaker_access_days`               | Integer         |
 | `iam_user_accesskey_unused`                                   | `max_unused_access_keys_days`                    | Integer         |

@@ -6,6 +6,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🚀 Added
 
+- `elbv2_listener_pqc_tls_enabled` check for aws provider [(#11254)](https://github.com/prowler-cloud/prowler/pull/11254)
 - `entra_app_registration_client_secret_unused` check for M365 provider [(#11232)](https://github.com/prowler-cloud/prowler/pull/11232)
 - `cloudsql_instance_cmek_encryption_enabled` check for GCP provider [(#11023)](https://github.com/prowler-cloud/prowler/pull/11023)
 - Google Workspace Groups service with 3 new checks [(#11186)](https://github.com/prowler-cloud/prowler/pull/11186)

@@ -1151,6 +1151,7 @@
         "elb_insecure_ssl_ciphers",
         "elb_ssl_listeners",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elbv2_ssl_listeners",
         "s3_bucket_secure_transport_policy"
       ]

@@ -49,6 +49,7 @@
         "elb_insecure_ssl_ciphers",
         "elb_ssl_listeners",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elbv2_ssl_listeners",
         "elbv2_nlb_tls_termination_enabled",
         "s3_bucket_secure_transport_policy",

@@ -1289,6 +1289,7 @@
         "elb_ssl_listeners",
         "elbv2_ssl_listeners",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elbv2_nlb_tls_termination_enabled",
         "cloudfront_distributions_https_enabled",
         "cloudfront_distributions_origin_traffic_encrypted",
@@ -1442,6 +1443,7 @@
         "acm_certificates_with_secure_key_algorithms",
         "elb_insecure_ssl_ciphers",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "cloudfront_distributions_using_deprecated_ssl_protocols"
       ]
     },

@@ -2366,7 +2366,8 @@
         }
       ],
       "Checks": [
-        "elbv2_insecure_ssl_ciphers"
+        "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled"
       ]
     },
     {
@@ -2389,7 +2390,8 @@
         }
       ],
       "Checks": [
-        "elbv2_insecure_ssl_ciphers"
+        "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled"
       ]
     },
     {

@@ -1145,6 +1145,7 @@
       "Checks": [
         "apigateway_restapi_client_certificate_enabled",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elb_ssl_listeners",
         "opensearch_service_domains_node_to_node_encryption_enabled",
         "s3_bucket_secure_transport_policy"
@@ -1164,6 +1165,7 @@
       "Checks": [
         "apigateway_restapi_client_certificate_enabled",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elb_ssl_listeners",
         "opensearch_service_domains_node_to_node_encryption_enabled",
         "s3_bucket_secure_transport_policy"

@@ -487,6 +487,7 @@
       "Checks": [
         "apigateway_restapi_client_certificate_enabled",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elb_ssl_listeners",
         "s3_bucket_secure_transport_policy"
       ]

@@ -266,6 +266,7 @@
         "ec2_ebs_default_encryption",
         "efs_encryption_at_rest_enabled",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elb_ssl_listeners",
         "opensearch_service_domains_encryption_at_rest_enabled",
         "opensearch_service_domains_node_to_node_encryption_enabled",

@@ -35,7 +35,8 @@
       ],
       "Checks": [
         "elb_insecure_ssl_ciphers",
-        "elbv2_insecure_ssl_ciphers"
+        "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled"
       ]
     },
     {

@@ -2040,6 +2040,7 @@
         "elb_ssl_listeners",
         "elb_ssl_listeners_use_acm_certificate",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elbv2_nlb_tls_termination_enabled",
         "elbv2_ssl_listeners",
         "glue_data_catalogs_connection_passwords_encryption_enabled",
@@ -3090,6 +3091,7 @@
         "elb_ssl_listeners_use_acm_certificate",
         "elbv2_desync_mitigation_mode",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elbv2_internet_facing",
         "elbv2_listeners_underneath",
         "elbv2_logging_enabled",

@@ -2042,6 +2042,7 @@
         "elb_ssl_listeners",
         "elb_ssl_listeners_use_acm_certificate",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elbv2_nlb_tls_termination_enabled",
         "elbv2_ssl_listeners",
         "glue_data_catalogs_connection_passwords_encryption_enabled",
@@ -3093,6 +3094,7 @@
         "elb_ssl_listeners_use_acm_certificate",
         "elbv2_desync_mitigation_mode",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elbv2_internet_facing",
         "elbv2_listeners_underneath",
         "elbv2_logging_enabled",

@@ -653,6 +653,7 @@
         "apigateway_restapi_client_certificate_enabled",
         "ec2_ebs_volume_encryption",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "opensearch_service_domains_node_to_node_encryption_enabled",
         "s3_bucket_default_encryption",
         "s3_bucket_secure_transport_policy"

@@ -5262,6 +5262,7 @@
       "Checks": [
         "apigateway_restapi_client_certificate_enabled",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elb_ssl_listeners",
         "opensearch_service_domains_node_to_node_encryption_enabled",
         "s3_bucket_secure_transport_policy"
@@ -5549,6 +5550,7 @@
       ],
       "Checks": [
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elb_ssl_listeners"
       ]
     },

@@ -40,6 +40,7 @@
         "ec2_instance_public_ip",
         "efs_encryption_at_rest_enabled",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "elb_ssl_listeners",
         "ec2_ebs_default_encryption",
         "emr_cluster_master_nodes_no_public_ip",

@@ -474,6 +474,7 @@
         "elbv2_ssl_listeners",
         "elb_insecure_ssl_ciphers",
         "elbv2_insecure_ssl_ciphers",
+        "elbv2_listener_pqc_tls_enabled",
         "redshift_cluster_in_transit_encryption_enabled",
         "elasticache_redis_cluster_in_transit_encryption_enabled",
         "dynamodb_accelerator_cluster_in_transit_encryption_enabled",

@@ -380,6 +380,21 @@ aws:
   # Minimum number of Availability Zones that an ELBv2 must be in
   elbv2_min_azs: 2
 
+  # aws.elbv2_listener_pqc_tls_enabled
+  # Allowed post-quantum TLS security policies for ELBv2 HTTPS/TLS listeners
+  elbv2_listener_pqc_tls_allowed_policies:
+    - "ELBSecurityPolicy-TLS13-1-2-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-3-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09"
+
   # AWS Elasticache Configuration
   # aws.elasticache_redis_cluster_backup_enabled
   # Minimum number of days that a Redis cluster must have backups retention period

@@ -0,0 +1,42 @@
+{
+  "Provider": "aws",
+  "CheckID": "elbv2_listener_pqc_tls_enabled",
+  "CheckTitle": "ELBv2 post-quantum TLS policy protects HTTPS/TLS listeners from future quantum decryption",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
+  "ServiceName": "elbv2",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "low",
+  "ResourceType": "AwsElbv2LoadBalancer",
+  "ResourceGroup": "network",
+  "Description": "**ELBv2 HTTPS and TLS listeners** are assessed for use of **post-quantum (PQ) TLS security policies**. Listeners whose `SslPolicy` is not in the approved PQ set lack hybrid key exchange (ML-KEM 768 + ECDHE), leaving recorded traffic vulnerable to future quantum decryption.",
+  "Risk": "Without PQ-ready TLS policies, encrypted traffic captured today can be stored and decrypted once a **cryptographically relevant quantum computer** exists (**harvest now, decrypt later** attack). This threatens long-term **confidentiality** of sensitive data, credentials, and session tokens transmitted through the load balancer.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html",
+    "https://aws.amazon.com/security/post-quantum-cryptography/",
+    "https://csrc.nist.gov/projects/post-quantum-cryptography"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aws elbv2 modify-listener --listener-arn <listener_arn> --ssl-policy ELBSecurityPolicy-TLS13-1-2-PQ-2025-09",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::ElasticLoadBalancingV2::Listener\n    Properties:\n      LoadBalancerArn: <example_resource_arn>\n      Protocol: HTTPS\n      Port: 443\n      DefaultActions:\n        - Type: forward\n          TargetGroupArn: <example_resource_arn>\n      Certificates:\n        - CertificateArn: <example_certificate_arn>\n      SslPolicy: ELBSecurityPolicy-TLS13-1-2-PQ-2025-09  # FIX: uses a post-quantum TLS policy\n```",
+      "Other": "1. In the AWS Console, go to EC2 > Load Balancers\n2. Select the load balancer and open the Listeners tab\n3. Select the HTTPS/TLS listener and choose Edit\n4. Set Security policy to ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 (or any approved PQ policy)\n5. Save changes",
+      "Terraform": "```hcl\nresource \"aws_lb_listener\" \"<example_resource_name>\" {\n  load_balancer_arn = \"<example_resource_arn>\"\n  port              = 443\n  protocol          = \"HTTPS\"\n  ssl_policy        = \"ELBSecurityPolicy-TLS13-1-2-PQ-2025-09\" # FIX: post-quantum TLS policy\n  certificate_arn   = \"<example_certificate_arn>\"\n\n  default_action {\n    type             = \"forward\"\n    target_group_arn = \"<example_resource_arn>\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Migrate all ELBv2 HTTPS and TLS listeners to a **post-quantum TLS policy** (`ELBSecurityPolicy-TLS13-*-PQ-2025-09` family) to enable hybrid key exchange (ML-KEM + ECDHE). Periodically review and update policies as AWS publishes new PQ-ready options.",
+      "Url": "https://hub.prowler.com/check/elbv2_listener_pqc_tls_enabled"
+    }
+  },
+  "Categories": [
+    "encryption"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "elbv2_insecure_ssl_ciphers"
+  ],
+  "Notes": ""
+}
@@ -0,0 +1,63 @@
+"""Check that ELBv2 HTTPS/TLS listeners use post-quantum TLS policies."""
+
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.elbv2.elbv2_client import elbv2_client
+
+PQ_TLS_POLICIES_DEFAULT = [
+    "ELBSecurityPolicy-TLS13-1-2-PQ-2025-09",
+    "ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09",
+    "ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09",
+    "ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09",
+    "ELBSecurityPolicy-TLS13-1-3-PQ-2025-09",
+    "ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09",
+    "ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09",
+    "ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09",
+    "ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09",
+    "ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09",
+    "ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09",
+]
+
+
+class elbv2_listener_pqc_tls_enabled(Check):
+    """Verify that every ELBv2 HTTPS or TLS listener uses a post-quantum TLS policy.
+
+    This check evaluates whether each HTTPS (ALB) or TLS (NLB) listener on an
+    ELBv2 load balancer terminates TLS with a security policy that offers
+    post-quantum (PQ) hybrid key exchange (ML-KEM 768 combined with ECDHE).
+    - PASS: All HTTPS/TLS listeners on the load balancer use a PQ TLS policy.
+    - FAIL: At least one HTTPS/TLS listener uses a non-PQ TLS policy.
+    """
+
+    def execute(self) -> list[Check_Report_AWS]:
+        """Execute the PQ TLS policy check for every ELBv2 load balancer.
+
+        Returns:
+            A list of reports, one per load balancer that has HTTPS/TLS listeners.
+        """
+        findings = []
+        pq_tls_policies = elbv2_client.audit_config.get(
+            "elbv2_listener_pqc_tls_allowed_policies", PQ_TLS_POLICIES_DEFAULT
+        )
+        for lb in elbv2_client.loadbalancersv2.values():
+            has_tls_listeners = False
+            non_pq_policies = []
+            for listener in lb.listeners.values():
+                if listener.protocol in ("HTTPS", "TLS"):
+                    has_tls_listeners = True
+                    if listener.ssl_policy not in pq_tls_policies:
+                        non_pq_policies.append(listener.ssl_policy)
+
+            if not has_tls_listeners:
+                continue
+
+            report = Check_Report_AWS(metadata=self.metadata(), resource=lb)
+            if non_pq_policies:
+                report.status = "FAIL"
+                report.status_extended = f"ELBv2 {lb.name} has HTTPS/TLS listeners without post-quantum TLS policy ({', '.join(non_pq_policies)})."
+            else:
+                report.status = "PASS"
+                report.status_extended = f"ELBv2 {lb.name} has all HTTPS/TLS listeners using a post-quantum TLS policy."
+
+            findings.append(report)
+
+        return findings
@@ -313,6 +313,19 @@ def mock_prowler_get_latest_release(_, **_kwargs):
     "minimum_snapshot_retention_period": 7,
     "elb_min_azs": 2,
     "elbv2_min_azs": 2,
+    "elbv2_listener_pqc_tls_allowed_policies": [
+        "ELBSecurityPolicy-TLS13-1-2-PQ-2025-09",
+        "ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09",
+        "ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09",
+        "ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09",
+        "ELBSecurityPolicy-TLS13-1-3-PQ-2025-09",
+        "ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09",
+        "ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09",
+        "ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09",
+        "ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09",
+        "ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09",
+        "ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09",
+    ],
     "secrets_ignore_patterns": [],
     "max_days_secret_unused": 90,
     "max_days_secret_unrotated": 90,

@@ -362,6 +362,21 @@ aws:
   # Minimum number of Availability Zones that an ELBv2 must be in
   elbv2_min_azs: 2
 
+  # aws.elbv2_listener_pqc_tls_enabled
+  # Allowed post-quantum TLS security policies for ELBv2 HTTPS/TLS listeners
+  elbv2_listener_pqc_tls_allowed_policies:
+    - "ELBSecurityPolicy-TLS13-1-2-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-3-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09"
+    - "ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09"
+
   # AWS Elasticache Configuration
   # aws.elasticache_redis_cluster_backup_enabled
   # Minimum number of days that a Redis cluster must have backups retention period