TLS 1.2 to become the minimum for all AWS FIPS endpoints

November 10, 2022: This project was successfully completed in March 2021. TLS 1.2 is now the minimum version supported for all connections to AWS FIPS service endpoints.
Note we will be implementing the same policy for non-FIPS endpoints by June 2023. If you also use these endpoints see https://thinkwithwp.com/blogs/security/tls-1-2-required-for-aws-endpoints/ for details.

June 8, 2022: We’ve updated this blog post to reflect newly available AWS Software Development Kit (AWS SDK) guidance for configuring TLS versions.

March 4, 2021: We’ve released a new TLS blog post with an example of TLS version detection using a packet capture. 

June 12, 2020: We’ve updated this blog post to include a link to the list of AWS services that require a minimum of TLS 1.2 for FIPS Endpoints. 

To help you meet your compliance, and regulatory needs, AWS will update all of our AWS Federal Information Processing Standard (FIPS) endpoints to a minimum Transport Layer Security (TLS) version TLS 1.2 over the next year. This update will deprecate the ability to use TLS 1.0 and TLS 1.1 on all FIPS endpoints across all AWS Regions by March 31, 2021. No other AWS endpoints are affected by this change.

As outlined in the AWS Shared Responsibility Model, security and compliance is a shared responsibility between AWS and our customers. When a customer makes a connection from their client application to an AWS service endpoint, the client provides its TLS minimum and TLS maximum version. The AWS service endpoint selects the maximum version offered.

What should customers do to prepare for this update?

Customers should confirm that their client applications support TLS 1.2 by verifying it is encapsulated between the clients’ minimum and the maximum TLS versions. We encourage customers to be proactive with security standards in order to avoid any impact to availability and to protect the integrity of their data in transit. Also, we recommend configuration changes should be tested in a staging environment, before introduction into production workloads.

When will these changes happen?

To minimize the impact to our customers who use TLS 1.0 and TLS 1.1, AWS is rolling out changes on a service-by-service basis between now and the end of March 2021. For each service, after a 30-day period during which no connections are detected, AWS will deploy a configuration change to remove support for TLS 1.0 and TLS 1.1 for that service. After March 31, 2021, AWS may update the endpoint configuration to remove TLS 1.0 and TLS 1.1 support, even if we detect customer connections. Additional reminders will be provided before these updates are final.

What are AWS FIPS endpoints?

All AWS services offer Transport Layer Security (TLS) 1.2 encrypted endpoints that can be used for all API calls. Some AWS services also offer FIPS 140-2 endpoints for customers that require use of FIPS validated cryptographic libraries.

Where can I find which AWS Services require a minimum version of TLS 1.2 for FIPS Endpoints?

A list of AWS services that require a minimum version of TLS 1.2 for FIPS Endpoints can be found on the FIPS page.

What is Transport Layer Security (TLS)?

Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication across a computer network. API calls to AWS services are secured using TLS.

Is there more assistance available to help verify or update client applications?

Customers using an AWS Software Development Kit (AWS SDK) can find information about how to properly configure their client’s minimum and maximum TLS versions on the following topics in the AWS SDKs:

• AWS SDK for .NET: AWS .NET SDK for enforcing a minimum TLS version or AWS SDK for .NET repository on GitHub.
• AWS SDK for PHP SDK: AWS PHP SDK for enforcing a minimum TLS version
• AWS SDK for Python (Boto Documentation): AWS Python SDK for enforcing a minimum TLS version
• AWS CLI: AWS CLI for enforcing a minimum TLS version using Python
• AWS SDK for Go v1: AWS Go SDK for enforcing a minimum TLS version
• AWS SDK for Go v2: AWS Go SDK for enforcing a minimum TLS version
• AWS SDK for C++: AWS C++ SDK for enforcing a minimum TLS version
• AWS SDK for Ruby: AWS Ruby SDK for enforcing a minimum TLS version
• AWS SDK for Java v3: AWS SDK for Java v3 for enforcing a minimum TLS version
• AWS SDK for Java v2: AWS Java v2 SDK for enforcing a minimum TLS version
• AWS SDK for Java v1: AWS Java v1 SDK for enforcing a minimum TLS version
• AWS SDK for JavaScript: AWS JavaScript SDK for enforcing a minimum TLS version
• AWS SDK for Rust: AWS SDK for Rust for enforcing a minimum TLS version

Or see Tools to Build on AWS, and browse by programming language to find the relevant SDK.

Additionally, AWS IQ enables customers to find, securely collaborate with, and pay AWS Certified third-party experts for on-demand project work. Visit the AWS IQ page for information about how to submit a request, get responses from experts, and choose the expert with the right skills and experience. Log into your console and select Get Started with AWS IQ to start a request.

The AWS Technical Support tiers cover development and production issues for AWS products and services, along with other key stack components. AWS Support does not include code development for client applications.

If you have any questions or issues, please start a new thread on one of the AWS Forums, or contact AWS Support or your Technical Account Manager (TAM). If you have feedback about this post, submit comments in the Comments section below.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Sincerely,
Amazon Web Services