New Amazon Neptune engine release now enforces a minimum version of TLS 1.2 and SSL client connections

Posted on: Oct 28, 2020

Amazon Neptune now enforces a minimum version of TLS v1.2 and Secure Sockets Layer (SSL) client connections to Neptune in all AWS Regions where Neptune is available with the latest engine release, 1.0.4.0.

With this release, Neptune will require clients in all regions to use SSL with TLS v1.2 for both REST and WebSocket connections to any cluster or instance endpoint. Existing client connections using TLS v1.1 will need to support TLS v1.2 to use this engine version. Engine release 1.0.4.0 is the default for newly created Neptune clusters. Existing customers will not be automatically updated, but can choose to upgrade by following the instructions on the engine release page. 

Customers asked us to add increased security when communicating with Neptune. Before this release, some regions, such as US East (Northern Virginia), supported both SSL and non-SSL connections. Customers could enforce SSL connections using a cluster parameter setting. This introduced the added complexity of controlling access to the cluster parameter setting using additional IAM configuration. With engine release 1.0.4.0, the additional configuration and use of neptune_enforce_ssl cluster parameter setting is no longer needed. 

For more details on connecting to Neptune using encryption in transit and the strong cipher suites used, please refer to the Neptune User Guide. For description of the cipher parameters and their algorithms, please refer to the IANA descriptions. For most developers, these parameters would be handled by the SSL client libraries. For details on using the latest Neptune engine release or updating your existing cluster, please see the engine release notes.