An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
An HTTPS listener that uses the latest AWS predefined ELBSecurityPolicy-TLS-1-2-2017-01 security policy.
A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
Explanations:
While using a certificate managed by ACM is a good practice, it doesn’t specifically address securing the private key if it were to be leaked. The certificate alone isn’t sufficient to guarantee that past TLS traffic remains secure.
Configuring the listener to use a custom security policy with only Perfect Forward Secrecy (PFS) cipher suites ensures that session keys are unique and not derived from the server’s private key, thus maintaining the confidentiality of past traffic even if the certificate private key is leaked.
The predefined security policy ELBSecurityPolicy-TLS-1-2-2017-01 focuses on enforcing TLS 1.2 and strong ciphers but does not guarantee the use of Perfect Forward Secrecy (PFS), which is required to meet the condition of securing past TLS traffic.
A TCP listener does not terminate the TLS connection, which means it cannot enforce the use of TLS-specific security features, including Perfect Forward Secrecy (PFS), which is necessary to secure past TLS traffic.
I systematize that the answer is:
An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.