diff --git a/aws/platform/README.md b/aws/platform/README.md
index ef5b717f..cc3eb63d 100644
--- a/aws/platform/README.md
+++ b/aws/platform/README.md
@@ -174,6 +174,7 @@ You can then use it to manually edit the aws-auth ConfigMap:
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
 | <a name="input_custom_groups"></a> [custom\_groups](#input\_custom\_groups) | List of custom RBAC groups to be assigned to an IAM role for custom cluster privileges, | `map(list(string))` | `{}` | no |
 | <a name="input_custom_roles"></a> [custom\_roles](#input\_custom\_roles) | Additional IAM roles which have custom cluster privileges | `map(string)` | `{}` | no |
+| <a name="input_default_ssl_policy"></a> [default\_ssl\_policy](#input\_default\_ssl\_policy) | The default SSL policy to use for the load balancer | `string` | `null` | no |
 | <a name="input_domain_names"></a> [domain\_names](#input\_domain\_names) | Domains which are allowed in this cluster | `list(string)` | `[]` | no |
 | <a name="input_external_dns_enabled"></a> [external\_dns\_enabled](#input\_external\_dns\_enabled) | Set to true to enable External DNS | `bool` | `false` | no |
 | <a name="input_external_dns_values"></a> [external\_dns\_values](#input\_external\_dns\_values) | Overrides to pass to the Helm chart | `list(string)` | `[]` | no |
diff --git a/aws/platform/main.tf b/aws/platform/main.tf
index ea4ccce0..9afad7c2 100644
--- a/aws/platform/main.tf
+++ b/aws/platform/main.tf
@@ -69,14 +69,15 @@ module "common_platform" {
 module "aws_load_balancer_controller" {
   source = "./modules/load-balancer-controller"
 
-  aws_namespace     = [module.cluster_name.full]
-  aws_tags          = var.aws_tags
-  chart_values      = var.aws_load_balancer_controller_values
-  chart_version     = var.aws_load_balancer_controller_version
-  cluster_full_name = module.cluster_name.full
-  k8s_namespace     = var.k8s_namespace
-  oidc_issuer       = data.aws_ssm_parameter.oidc_issuer.value
-  vpc_cidr_block    = module.network.vpc.cidr_block
+  aws_namespace      = [module.cluster_name.full]
+  aws_tags           = var.aws_tags
+  chart_values       = var.aws_load_balancer_controller_values
+  chart_version      = var.aws_load_balancer_controller_version
+  cluster_full_name  = module.cluster_name.full
+  default_ssl_policy = var.default_ssl_policy
+  k8s_namespace      = var.k8s_namespace
+  oidc_issuer        = data.aws_ssm_parameter.oidc_issuer.value
+  vpc_cidr_block     = module.network.vpc.cidr_block
 
   depends_on = [module.common_platform]
 }
diff --git a/aws/platform/modules/load-balancer-controller/README.md b/aws/platform/modules/load-balancer-controller/README.md
index 2c632620..2832c284 100644
--- a/aws/platform/modules/load-balancer-controller/README.md
+++ b/aws/platform/modules/load-balancer-controller/README.md
@@ -48,6 +48,7 @@ target group bound to the Istio ingress gateway service.
 | <a name="input_chart_values"></a> [chart\_values](#input\_chart\_values) | Overrides to pass to the Helm chart | `list(string)` | `[]` | no |
 | <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version of chart to install | `string` | `null` | no |
 | <a name="input_cluster_full_name"></a> [cluster\_full\_name](#input\_cluster\_full\_name) | Full name of the cluster in which the chart is installed | `string` | n/a | yes |
+| <a name="input_default_ssl_policy"></a> [default\_ssl\_policy](#input\_default\_ssl\_policy) | The default SSL policy to use for the load balancer | `string` | `null` | no |
 | <a name="input_k8s_namespace"></a> [k8s\_namespace](#input\_k8s\_namespace) | Kubernetes namespace in which resources will be written | `string` | `"default"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name for the release | `string` | `"aws-load-balancer-controller"` | no |
 | <a name="input_oidc_issuer"></a> [oidc\_issuer](#input\_oidc\_issuer) | OIDC issuer of the Kubernetes cluster | `string` | n/a | yes |
diff --git a/aws/platform/modules/load-balancer-controller/main.tf b/aws/platform/modules/load-balancer-controller/main.tf
index 77b69937..4b77524a 100644
--- a/aws/platform/modules/load-balancer-controller/main.tf
+++ b/aws/platform/modules/load-balancer-controller/main.tf
@@ -90,6 +90,8 @@ locals {
           "eks.amazonaws.com/role-arn" = module.service_account_role.arn
         }
       }
+
+      defaultSSLPolicy = coalesce(var.default_ssl_policy, "ELBSecurityPolicy-2016-08")
     })
   ]
 }
diff --git a/aws/platform/modules/load-balancer-controller/variables.tf b/aws/platform/modules/load-balancer-controller/variables.tf
index 2a6e9402..f8528667 100644
--- a/aws/platform/modules/load-balancer-controller/variables.tf
+++ b/aws/platform/modules/load-balancer-controller/variables.tf
@@ -66,3 +66,9 @@ variable "vpc_cidr_block" {
   type        = string
   description = "CIDR block for the AWS VPC in which the load balancer runs"
 }
+
+variable "default_ssl_policy" {
+  type        = string
+  description = "The default SSL policy to use for the load balancer"
+  default     = null
+}
\ No newline at end of file
diff --git a/aws/platform/variables.tf b/aws/platform/variables.tf
index 943b7b47..fdd3f2fe 100644
--- a/aws/platform/variables.tf
+++ b/aws/platform/variables.tf
@@ -74,6 +74,12 @@ variable "custom_roles" {
   default     = {}
 }
 
+variable "default_ssl_policy" {
+  type        = string
+  description = "The default SSL policy to use for the load balancer"
+  default     = null
+}
+
 variable "domain_names" {
   type        = list(string)
   default     = []