Posted On: Oct 26, 2023

AWS Network Firewall now supports egress Transport Layer Security (TLS) inspection, enabling customers to strengthen their security posture on AWS by improving visibility into encrypted outbound VPC traffic. Starting today, you can use AWS Network Firewall to decrypt, inspect, and re-encrypt outbound TLS traffic destined for the internet, another VPC, or another subnet.

AWS Network Firewall is a managed firewall service that makes it easy to deploy essential network protections for all your Amazon VPCs. With this feature, customers of all sizes and industries can inspect outbound traffic for malicious content, detect policy violations, or scan for sensitive data leaving their network. TLS traffic decryption also helps customers meet regulatory and business compliance requirements by providing visibility and auditing capabilities for encrypted traffic. For example, financial institutions can monitor outbound encrypted traffic to prevent unauthorized transmission of sensitive data, such as credit card numbers or bank account information, reducing the risk of data breaches and regulatory penalties.

Egress TLS inspection is available in AWS Israel (Tel Aviv) Region and Europe (Ireland) Region. Ingress TLS inspection is supported in all AWS Regions where AWS Network Firewall is available, including the AWS GovCloud (US) Regions. For more details on availability, refer to the AWS Region table.

You can enable TLS inspection from the Amazon VPC Console or the Network Firewall API. To learn more about this new feature and pricing, please see the AWS Network Firewall product page and service documentation.