BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News TLS 1.2 Becoming the Minimum TLS Protocol Level on AWS

TLS 1.2 Becoming the Minimum TLS Protocol Level on AWS

AWS recently announced that TLS 1.2 is going to become the minimum protocol level for API endpoints. The cloud provider will remove backward compatibility and support for versions 1.0 and 1.1 on all APIs and regions by June 2023.

Janelle Hopper, senior technical program manager at AWS, Daniel Salzedo, senior specialist technical account manager at AWS, and Ben Sherman, software development engineer at AWS, explain:

We have continued AWS support for TLS versions 1.0 and 1.1 to maintain backward compatibility for customers that have older or difficult to update clients, such as embedded devices. Furthermore, we have active mitigations in place that help protect your data for the issues identified in these older versions. Now is the right time to retire TLS 1.0 and 1.1, because increasing numbers of customers have requested this change to help simplify part of their regulatory compliance, and there are fewer and fewer customers using these older versions.

According to the cloud provider, 95% of AWS customers are already using more recent cryptographic protocols and the most common use today of TLS 1.0 or 1.1 are .NET Framework versions earlier than 4.6.2. Colm MacCárthaigh, VP and distinguished engineer at AWS, tweets:

At AWS we almost never turn anything off, but TLS1.0 and TLS1.1 are on the chopping block! Very few customers still use these versions, and you can check CloudTrail logs to see if you have any requests using them.

Steven Murdoch, professor of security engineering at UCL and Royal Society research fellow, warns that most TLS 1.1 connections might already be unwanted ones:

When considering mandating TLS 1.2 on benthamsgaze.org I found a non-trivial number of TLS 1.1 connections. On further investigation, every single one was trying to exploit some non-existent vulnerability. I was not sad to lose this traffic.

Using the recently added tlsDetails field, AWS CloudTrail logs can be monitored to identify if the outdated TLS versions are currently used. AWS recommends parsing the records with CloudTrail Lake, CloudWatch Log Insights or Athena. CloudWatch Log Insights has two new sample queries that can be used to find log entries where TLS 1.0 or 1.1 was used and find the number of calls per service that used outdated TLS versions.

Source: https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/

AWS CLI version 2 already enforces TLS 1.2, the version that is already required for all AWS FIPS endpoints. AWS warns that while most customers still using TLS 1.0 or 1.1 will be notified, not every scenario can be detected by the cloud provider:

If we detect that you are using TLS 1.0 or 1.1, you will be notified on your AWS Health Dashboard, and you will receive email notifications. However, you will not receive a notification for connections you make anonymously to AWS shared resources, such as a public Amazon S3 bucket, because we cannot identify anonymous connections. Furthermore (...) there is a possibility that we may not detect infrequent connections, such as those that occur less than monthly.

To minimize the availability impact of requiring TLS 1.2, AWS is rolling out the changes on an endpoint-by-endpoint basis over the next months. After June 28, 2023, AWS will update the endpoint configuration, even if customers still have connections using older versions.

About the Author

Rate this Article

Adoption
Style

BT