How do I allow access to my Amazon S3 buckets to customers who do not use TLS 1.2 or higher?

8 minute read
4

My customers don't use TLS versions 1.2 or higher, so they can't access content that's stored in my Amazon Simple Storage Service (Amazon S3) buckets. I want to allow these customers to access content in my Amazon S3 buckets using TLS 1.0 or 1.1.

Short description

AWS enforces the use of TLS 1.2 or higher on all AWS API endpoints. To continue to connect to AWS services, update all software that uses TLS 1.0 or 1.1.

Resolution

Amazon CloudFront allows the use of older TLS versions by abstracting customers from the TLS protocol that's used between your CloudFront distribution and Amazon S3.

Create a CloudFront distribution with OAC

With CloudFront, you can support anonymous and public requests to your S3 buckets. Or, you can make your S3 buckets private and accessible through CloudFront only by requiring signed requests to access your S3 buckets.

Support anonymous and public requests to your S3 buckets

Note: The following example assumes that you already have an S3 bucket in use. If you don't have an S3 bucket, then create one.

To create the CloudFront distribution, follow these steps:

  1. Open the CloudFront console.
  2. Choose Create Distribution.
  3. Under Origin, for Origin domain, choose your S3 bucket's REST API endpoint from the dropdown list.
  4. For Viewer protocol policy, select Redirect HTTP to HTTPS.
  5. For Allowed HTTP endpoints, select GET, HEAD, OPTIONS to support read requests.
  6. In the Origin access section, select Origin access control settings (recommended).
  7. Select Create control setting, and use the default name. For the signing behavior, select Sign requests (recommended), and select Create. The OAC recommended settings automatically authenticates the viewer's request.
  8. Select the identity in the dropdown list. After the distribution is created, update the bucket policy to restrict access to OAC.
  9. Under Default cache behavior, Viewer, select Redirect HTTP to HTTPS for Viewer Protocol Policy, and leave the other settings as default.
  10. Under Cache key and origin requests, select Cache policy and origin request policy (recommended). Then, use CachingOptimized for the Cache policy and CORS-S3Origin for the Origin request policy.
  11. Select Create distribution, and then wait for its status to update to Enabled.

Require signed requests to access your S3 buckets

Add security to your S3 buckets by supporting signed requests only. With signed requests, OAC follows your authentication parameters and forwards them to the S3 origin, which then denies anonymous requests.

To create a CloudFront distribution that requires signed requests to access your S3 buckets, follow these steps:

  1. Open the CloudFront console.
  2. Choose Create Distribution.
  3. Under Origin, for Origin domain, choose your S3 bucket's REST API endpoint from the dropdown list.
  4. For Viewer protocol policy, select Redirect HTTP to HTTPS.
  5. For Allowed HTTP endpoints, select GET, HEAD, OPTIONS to support read requests.
  6. In the Origin access section, select Origin access control settings (recommended).
  7. Block all unsigned requests by checking the Do not sign requests option.
    Note: Blocking unsigned requests requires every customer to sign their requests so that the S3 origin can evaluate the permissions.
  8. Create a custom cache policy to forward the customer's Authorization header to the origin.
  9. Under Cache key and origin requests, select Cache policy and origin request policy (recommended).
  10. Select Create Policy.
  11. Enter a name for the cache policy in the Name section.
  12. Under Cache key settings, go to Headers, and select Include the following headers.
  13. Under Add Header, select Authorization.
  14. Select Create.

Control the customer's security policy

To control a security policy in CloudFront, you must have a custom domain. It's a best practice to specify an alternate domain name for your distribution. It's also a best practice to use a custom SSL certificate that's configured in AWS Certificate Manager (ACM). Doing so gives you more control over the security policy, and allows customers to continue to use TLS 1.0. For more information, see Supported protocols and ciphers between viewers and CloudFront.

If you use the default *.cloudfront.net domain name, then CloudFront automatically provisions a certificate and sets the security policy to allow TLS 1.0 and 1.1. For more information, see Distribution settings.

To configure an alternate domain name for your CloudFront distribution, follow these steps:

  1. Sign in to the AWS Management Console, and then open the CloudFront console.
  2. Choose the ID for the distribution that you want to update.
  3. On the General tab, choose Edit.
  4. For Alternate Domain Names (CNAMEs), choose Add item, and enter your domain name.
    Note: It's a best practice to use a custom canonical name record (CNAME) to access your resources. Using a CNAME gives you greater control over routing, and allows a better transition for your customers.
  5. For Custom SSL Certificate, choose the custom SSL certificate from the dropdown list that covers your CNAME to assign it to the distribution.
    Note: For more information on installing a certificate, see How do I configure my CloudFront distribution to use an SSL/TLS certificate?
  6. Choose Create distribution, and wait for its status to update to Enabled.

After you create the distribution, you must allow OAC to access your bucket. Complete the following steps:

  1. Navigate to the CloudFront console page, and open your CloudFront distribution.
  2. Select the Origins tab, select your origin, and then click Edit.
  3. Choose Copy policy, open the bucket permission, and update your bucket policy.
  4. Open the Go to S3 bucket permissions page.
  5. Under Bucket policy, choose Edit. Paste the policy that you copied earlier, and then choose Save. If your bucket policy requires more than reading from S3, then you can add the required APIs.

If you use a custom domain name, then change your DNS entries to use the new CloudFront distribution URL. If you don't use a custom domain name, then you must provide the new CloudFront distribution URL to your users. Also, you must update any client or device software that uses the old URL.

If you're using an AWS SDK to access Amazon S3 objects, then you must change your code to use regular HTTPS endpoints. Also, make sure that you use the new CloudFront URL. If the objects aren't public and require better control, then you can serve private content with signed URLs and signed cookies.

Use S3 presigned URLs to access objects

If your workflow relies on S3 presigned URLs, then use a CloudFront distribution to relay your query to the S3 origin. First, generate a presigned URL for the object you want. Then, replace the host in the URL with the CloudFront endpoint to deliver the call through CloudFront and automatically upgrade the encryption protocol. To test and generate a presigned URL, run the following CLI command:

aws s3 presign s3://BUCKET_NAME/test.jpg

Example output:

https://bucket_name.s3.us-east-1.amazonaws.com/test.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=%5b...%5d%2F20220901%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=%5b...%5d&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature">https://BUCKET_NAME.s3.us-east-1.amazonaws.com/test.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=[...]%2F20220901%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=[...]&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature    =[...]

Now change the S3 URL to the new CloudFront endpoint. For example, replace this S3 URL:

BUCKET_NAME.s3.eu-west-1.amazonaws.com

with this endpoint:

https://DISTRIBUTION_ID.cloudfront.net.

Example output:

https://<DISTRIBUTION_ID>.cloudfront.net /test.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=[...]%2F20220901%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=[...]&X-Amz-SignedHeaders=host&X-Amz-Expires=3600&X-Amz-Signature=[...]

To use presigned URLs, apply the following CloudFront settings:

  1. Set the OAC signing behavior to Do not sign requests.
  2. Set the CloudFront distribution origin request policy to Origin request settings: Headers – None; Cookies – None; Query strings – All.
  3. Set the cache policy to Headers – None; Cookies – None; Query strings – None.

In AWS CloudTrail, the GET request to download from an S3 presigned URL shows as the identity that generated the presigned URL.

If you're using an AWS SDK to access S3 objects, then you must change your code to use the presigned URL. Use a regular HTTPS request instead, and use the new CloudFront URL.

Confirm that you're using modern encryption protocols for Amazon S3

To test your new policy, use the following example curl command to make HTTPS requests using a specific legacy protocol:

curl https://${CloudFront_Domain}/image.png -v --tlsv1.0 --tls-max 1.0

The example curl command makes a request to CloudFront using TLS 1.0. This connects to the S3 origin using TLS 1.2 and successfully downloads the file.

It's a best practice to use AWS CloudTrail Lake to identify older TLS connections to AWS service endpoints. You can configure the CloudTrail Lake event data store to capture management events or data events. The corresponding CloudTrail event in CloudTrail Lake shows TLS version 1.2, confirming that your customers use modern security policy to connect to Amazon S3.

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago
6 Comments

It is not clear from this article whether using the methods outlined still requires the end client to make some changes on their part? If I created a "Cloudfront Distribution" for my S3 bucket - what direction do I need to give to the client / customer who is currently consuming this service over TLS1.0? - do they just point at a different bucket name? Or is there more signficant changes required? Any help appreciated. Thanks

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

This solution is not available in china region since no 'OAC' function.

profile picture
kraft
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

Thank you for this solution.

I need to create a cloudfront distribution to upload file to s3 with old TLS version, could you please share a solution?

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago