Elastic Beanstalk deploy has TLS 1.0 and 1.1 enabled. Need TLS 1.2 only

Is there a way to ensure that the Elastic Beanstalk deploy sets the Load Balancer Cipher to ELBSecurityPolicy-TLS-1-2-2017-01 I(TLSv1.2 only) and not ELBSecurityPolicy-2016-08? (allows TLSv1 and TLSv1.1).

It made us fail our PCI Scans.

If I manually update the Load Balancer, will Elastic Beanstalk reset it to ELBSecurityPolicy-2016-08?
Is there anyway to update the Beanstalk to only use ELBSecurityPolicy-TLS-1-2-2017-01?


Big bump. Our instance just failed a scan because of TLS 1.0.