In a March 2020 blog post, we told you about work Amazon Web Services (AWS) was undertaking to update all of our AWS Federal Information Processing Standard (FIPS) endpoints to a minimum of Transport Layer Security (TLS) 1.2 across all AWS Regions. Today, we’re happy to announce that over 40 services have been updated and now require TLS 1.2:
- Amazon Athena
- Amazon API Gateway
- Amazon Comprehend Medical
- Amazon Connect
- Amazon EC2 Image Builder
- Amazon Elastic Block Store (Amazon EBS) direct APIs
- Amazon Elastic Kubernetes Service (Amazon EKS)
- Amazon FSx
- Amazon GuardDuty
- Amazon Macie
- Amazon MQ
- Amazon Pinpoint
- Amazon QuickSight
- Amazon Textract
- Amazon Transcribe
- Amazon Translate
- AWS Backup
- AWS Batch
- AWS Certificate Manager Private Certificate Authority (PCA)
- AWS Cloud Map
- AWS Database Migration Service (AWS DMS)
- AWS DataSync
- AWS Elastic Beanstalk
- AWS Elemental MediaConvert
- AWS Elemental MediaLive
- AWS Glue
- AWS Ground Station
- AWS Health
- AWS Identity and Access Management (IAM) Access Analyzer
- AWS IoT Greengrass
- AWS Key Management Service (AWS KMS)
- AWS Lake Formation
- AWS Lamdba
- AWS OpsWorks
- AWS Outposts
- AWS Resource Groups
- AWS Security Hub
- AWS Serverless Application Repository
- AWS Shield
- AWS Storage Gateway
- AWS Transfer Family
- AWS WAF
These services no longer support using TLS 1.0 or TLS 1.1 on their FIPS endpoints. To help you meet your compliance needs, we are updating all AWS FIPS endpoints to a minimum of TLS 1.2 across all Regions. We will continue to update our services to support only TLS 1.2 or later on AWS FIPS endpoints, which you can check on the AWS FIPS webpage. This change doesn’t affect non-FIPS AWS endpoints.
When you make a connection from your client application to an AWS service endpoint, the client provides its TLS minimum and TLS maximum versions. The AWS service endpoint will always select the maximum version offered.
What is TLS?
What is FIPS 140-2?
The FIPS 140-2 is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information.
What are AWS FIPS endpoints?
All AWS services offer TLS 1.2 encrypted endpoints that can be used for all API calls. Some AWS services also offer FIPS 140-2 endpoints for customers who need to use FIPS validated cryptographic libraries to connect to AWS services.
Why are we upgrading to TLS 1.2?
Our upgrade to TLS 1.2 across all Regions reflects our ongoing commitment to help customers meet their compliance needs.
Is there more assistance available to help verify or update client applications?
If you’re using an AWS software development kit (AWS SDK), you can find information about how to properly configure the minimum and maximum TLS versions for your clients in the following AWS SDK topics:
- AWS SDK for .NET: AWS .NET SDK for supporting TLS 1.2 or AWS SDK for .NET repository on GitHub.
- AWS SDK for PHP: AWS PHP SDK for supporting TLS 1.2
- AWS SDK for Python (Boto3): AWS Python SDK for supporting TLS 1.2
- AWS Command Line Interface (AWS CLI) for Python: AWS Python CLI for supporting TLS 1.2
- AWS SDK for Go: AWS Go SDK for supporting TLS 1.2
- AWS SDK for C++: AWS C++ SDK for supporting TLS 1.2
- AWS SDK for Ruby: AWS Ruby SDK for supporting TLS 1.2
- AWS SDK for Java 2.x: AWS Java v2 SDK for supporting TLS 1.2
- AWS SDK for Java 1.x: AWS Java v1 SDK for supporting TLS 1.2
You can also visit Tools to Build on AWS and browse by programming language to find the relevant SDK. AWS Support tiers cover development and production issues for AWS products and services, along with other key stack components. AWS Support doesn’t include code development for client applications.
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.