What are TLS 1.0 or TLS 1.1 connections and Cloudfront

0

I have received an email from AWS advising me that apparently I have TLS 1.0 or TLS 1.1 connections that need "action" and I must update all client software and enforce the bucket items to TLS 1.2 or higher. I have NO IDEA what this means nor can understand what I need to do as I am not able to understand/follow the Knowledge Center article. Can someone explain this to me in simple English and provide that appropriate assistance as I am not tech savvy. Thank you

  • Could you link to the Knowledge Center article? That would help to provide advice.

4 Answers
0

I have seen this before in another aws repost. I believe there is a report of clients making cli/api calls to aws endpoints using old tls versions.

I think your notification may have specified which api endpoints are effected.

If this is the case you will have to use cloudtrail to locate who’s making these soo calls and what tls version they are using. They may need to upgrade the AWS cli

As for the bucket item, I’ve not heard of AWS notifying however you can enforce on buckets not to use tls less than 1.2

profile picture
EXPERT
answered a year ago
  • Thank you for your answer HOWEVER as I stated, I am NOT tech savvy - I have no idea of what you are talking about nor what this email from AWS is talking about. Nor what I am supposed to do. I don't know what a CLI call is or tis version. I don't understand who or what is calling who

    All I understand is that I was recommended to use AWS to upload videos/audios as a storage facility for future use. Do I now have to remove all my files to an external hard drive? Thank you,

0

Hi.

When you use AWS resources from SDK, JDK or command line interface (CLI) you make calls to API from AWS, to make this calls a secure protocol is used (TLS), the TLS version is related to the version of the SDK/JDK/CLI used. If you received the notification it means that some software is accesing your account with a rather old version and the action to be taken is to update SDK/JDK/CLI from that software in order to upgrade TLS version to 1.2. This software can be something you developed by you organization, a third partie developed software or a SaaS you use that integrates with AWS, i.e. backup solutions, SIEM ingesting your logs.

In this related blog post you find guidance for two actions you can take:

a. Understand what resources are afected, that info you can look at the Personal Health Dashboard for our account (login to your account and then look for Persoal Health Dashboard.

b. Find what calls are using TLS older than 1.2 using CloudTrail logs, this logs will provide with some information like credentials beings used, IP and library used. That usually is a clue to find what program is involved in the calls to API.

I might also add to check IAM Access Analyzer to find out access from other accounts or federated users accesing your account and reviewing the credential report as it is likely and old SDK/JDK/CLI use might be related to a user that has not rotated passwords or access keys.

Update: If notice is related to Cloudfront accesing S3 Origin, you can check this documentation and select TLS 1.2 for origin access protocol.

Hope this answers clarifies path for action.

profile pictureAWS
answered a year ago
0

I'm in the same situation as the person asking the question and feel the same way. Why can't someone answer in English? I know what a command line is and don't use it with S3. As far as I know, no software is doing anything with S3. I just go into S3 and upload content and then use the URL of that content to share with customers, put on webpages, etc. So can I ignore that email? Is the worst that can happen is that some outside software (that I don't know of) won't be able to access S3 on my behalf? Ellen P.S. When someone says they're not tech-savvy, please don't reply with acronyms. It doesn't help. Just some constructive feedback to help you help people.

answered a year ago
0

TL;DR: For most people (and that includes the original post owner and Ellen) there is no action required here.

Please look at my answer to a related question.

In short: The deprecation of TLS 1.0 and 1.1 only applies to AWS service endpoints. That is, if you are (say) creating an EC2 instance; deleting something from a S3 bucket or otherwise changing something in an AWS service then all transactions will be over TLS 1.2 in the very near future.

In non-technical terms, this means that your connection to AWS is more secure. That's all.

If you are using AWS SDKs or the AWS console then you don't need to do anything - these will automatically continue to work and will use the more secure method going forward. No action required on your part.

If you have configured AWS services to provide connectivity to your users and customers then you also do not need to do anything. Services such as CloudFront (but also API Gateway and ALB) can offer connections using TLS 1.0 and 1.1 These will not change but we strongly encourage you to move to TLS 1.2 for increased security. But we also understand that your users might be using older software that might not support TLS 1.2. Again, no change is required here, only advised.

profile pictureAWS
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions