To improve security for data in transit, AWS will update all of our AWS Federal Information Processing Standard (FIPS) endpoints to a minimum Transport Layer Security (TLS) version TLS 1.2 over the next year. This update will deprecate the ability to use TLS 1.0 and TLS 1.1 on all FIPS endpoints across all AWS Regions by March 31, 2021. No other AWS endpoints are affected by this change.
As outlined in the AWS Shared Responsibility Model, security and compliance is a shared responsibility between AWS and our customers. When a customer makes a connection from their client application to an AWS service endpoint, the client provides its TLS minimum and TLS maximum version. The AWS service endpoint selects the maximum version offered.
What should customers do to prepare for this update?
Customers should confirm that their client applications support TLS 1.2 by verifying it is encapsulated between the clients’ minimum and the maximum TLS versions. We encourage customers to be proactive with security standards in order to avoid any impact to availability and to protect the integrity of their data in transit. Also, we recommend configuration changes should be tested in a staging environment, before introduction into production workloads.
When will these changes happen?
To minimize the impact to our customers who use TLS 1.0 and TLS 1.1, AWS is rolling out changes on a service-by-service basis between now and the end of March 2021. For each service, after a 30-day period during which no connections are detected, AWS will deploy a configuration change to remove support for them. After March 31, 2021, AWS may update the endpoint configuration to remove TLS 1.0 and 1.1, even if we detect customer connections. Additional reminders will be provided before these updates are final.
What are AWS FIPS endpoints?
All AWS services offer Transport Layer Security (TLS) 1.2 encrypted endpoints that can be used for all API calls. Some AWS services also offer FIPS 140-2 endpoints for customers that require use of FIPS validated cryptographic libraries.
What is Transport Layer Security (TLS)?
Is there more assistance available to help verify or update client applications?
Customers using an AWS Software Development Kit (AWS SDK) can find information about how to properly configure their client’s minimum and maximum TLS versions on the following topics in the AWS SDKs:
- AWS SDK for .NET: AWS .NET SDK for supporting TLS 1.2 or AWS SDK for .NET repository on GitHub.
- AWS SDK for PHP SDK: AWS PHP SDK for supporting TLS 1.2
- AWS SDK for Python (Boto Documentation): AWS Python SDK for supporting TLS 1.2
- AWS CLI for Python: AWS Python CLI for supporting TLS 1.2
- AWS SDK for Go: AWS Go SDK for supporting TLS 1.2
- AWS SDK for C++: AWS C++ SDK for supporting TLS 1.2
- AWS SDK for Ruby: AWS Ruby SDK for supporting TLS 1.2
- AWS SDK for Java v2: AWS Java v2 SDK for supporting TLS 1.2
- AWS SDK for Java v1: AWS Java v1 SDK for supporting TLS 1.2
Or see Tools to Build on AWS, and browse by programming language to find the relevant SDK.
Additionally, AWS IQ enables customers to find, securely collaborate with, and pay AWS Certified third-party experts for on-demand project work. Visit the AWS IQ page for information about how to submit a request, get responses from experts, and choose the expert with the right skills and experience. Log into your console and select Get Started with AWS IQ to start a request.
The AWS Technical Support tiers cover development and production issues for AWS products and services, along with other key stack components. AWS Support does not include code development for client applications.
If you have any questions or issues, please start a new thread on one of the AWS Forums, or contact AWS Support or your Technical Account Manager (TAM). If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.
Amazon Web Services