Amazon CloudFront announces new TLS1.2 security policy for viewer connections

Posted on: Jul 17, 2020

Details: Amazon CloudFront now supports a new security policy, TLSv1.2_2019, which includes only the following ciphers:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-RSA-AES256-SHA384

A security policy determines the SSL/TLS protocol that CloudFront uses to communicate with viewers, and the cipher that CloudFront uses to encrypt the content that it returns to viewers. The TLSv1.2_2019 policy sets the minimum negotiated Transport Layer Security (TLS) version to 1.2 and supports only the ciphers listed above. When you create a new distribution using a custom SSL certificate, TLSv1.2_2019 will be the default policy option selected. You may use the AWS Management Console, Amazon CloudFront APIs, or AWS CloudFormation to update your existing distribution configuration to use this new security policy.

The TLSv1.2_2019 security policy is available today. To learn more about this new policy and ciphers supported refer to CloudFront's documentation. To get started with CloudFront, visit the CloudFront product page.