What is the best way to force all "AWS::ElasticLoadBalancingV2::Listener" (in particular the application load balancer) to use at least TLS 1.2 at the organization level with a large number of subaccounts?
I've tried to create an SCP, but the Condition for SslPolicy is not supported (maybe it's not written exactly this way, I've used what I saw in cloudtrail, I write from my memory).
I've also tried to use guard v2.x.x rule in AWS config, but in the end I found out that this resource is not supported by it either: https://aws.amazon.com/premiumsupport/knowledge-center/config-resource-non-compliant/
I've also found a similar rule in Control Tower, but it is only for Classic load balancer https://docs.aws.amazon.com/controltower/latest/userguide/elb-rules.html#ct-elasticloadbalancing-pr-12-rule
I think that it can be implemented by creating a custom rule with lambda in AWS config, at least there is "AWS::ElasticLoadBalancingV2::Listener" in resource types, which should trigger the lambda on a resource change event of this type, but then you have to write lambda code, give it cross account permissions, etc., which is not very nice and flexible, because it will be necessary to implement all this for all accounts in the organization, the number of which is growing, etc.
Any other ideas?