The Internet of Things on AWS – Official Blog

Introducing TLS 1.3 support in AWS IoT Core

Introduction

We’re very pleased to announce that AWS IoT Core now supports Transport Layer Security (TLS) version 1.3 amongst its transport security options. TLS 1.3 offers customers enhanced security and performance as compared to TLS 1.2. Customers can configure the TLS version for their default Amazon Trust Services (ATS) data plane endpoint and for their configurable endpoints, be they AWS-managed domains or custom domains. Customers can simultaneously operate both TLS 1.2 and TLS 1.3 on either a single data endpoint, or across multiple data endpoints, to support and manage a heterogenous fleet of devices.

“We are happy to be the first customer using TLS 1.3 on AWS IoT Core, connecting millions of vehicles globally. The security of our vehicles and vehicle data is our top priority,” said Brian Black, Manager Cloud Transport & Networking – Mercedes-Benz Research & Development North America Inc. “Our newer models use the latest TLS version, 1.3, when connecting to our connected vehicle platform built on AWS IoT Core, ensuring any communication is highly secure. However, we also have older models that still use TLS 1.2. AWS IoT Core offers the ability to support both TLS versions. It gives our customers flexibility to determine when they want to update their cars for added security.”

Support for TLS 1.3 is also extended to AWS IoT Core Device Advisor. Device Advisor now automatically detects and handles the TLS version used by the device. The TLS test cases can be used for either TLS 1.2 or 1.3.

In this blog post, we summarize the enhancements offered by TLS 1.3, explain how the feature is integrated into AWS IoT Core, and walk you through how to get started with TLS 1.3 endpoints.

TLS 1.3 enhancements

TLS 1.3 offers several advantages over 1.2, including:

  1. Improved security: stronger cryptographic algorithms and key exchange mechanisms.
  2. Faster handshake: reduces the number of round trips required for the handshake process, for faster connection.
  3. Reduced latency: includes a zero round-trip time (0-RTT) mode.
  4. Better privacy: past sessions cannot be decrypted even if the private key is compromised in the future.
  5. Simplified design: removes some legacy features, making it easier to implement and maintain.
  6. Improved resilience to traffic analysis: encrypts more data than previous versions.

Integration with AWS IoT Core

AWS IoT Core already offers flexible data endpoint and domain configuration options for you to connect your devices to the AWS IoT Core data service. You can use the default Amazon Trust Services (ATS) data plane endpoint, or choose to configure additional data endpoints. These may have alternate authentication methods or use a custom domain with a user-managed certificate. AWS IoT Core now adds the concept of a configurable TLS security policy associated with each data endpoint.

Figure 1: Domain configurations with TLS security policies

Figure 1: Domain configurations with TLS security policies

The TLS security policy can have one of up to five settings:

  1. TLS 1.2+1.3                            IoTSecurityPolicy_TLS13_1_2_2022_10
  2. TLS 1.3 only                           IoTSecurityPolicy_TLS13_1_3_2022_10
  3. TLS 1.2 only                           IoTSecurityPolicy_TLS12_1_2_2022_10
  4. TLS 1+1.1+1.2 (legacy)         IoTSecurityPolicy_TLS12_1_0_2016_01
  5. TLS 1+1.1+1.2 (legacy)         IoTSecurityPolicy_TLS12_1_0_2015_01

Please consult the TLS policy table for full details on the TLS versions, TCP ports and cipher suites supported by each policy.

Existing domains and data endpoints default to TLS 1.2 for compatibility with existing device fleets. New domains and data endpoints default to TLS 1.2+1.3. The legacy policies are only available in select regions and should not be used in new designs.

Using TLS 1.3 with AWS IoT Core

To assign the TLS security policy for your data endpoints, you may choose either the AWS Console or the AWS CLI.

This section covers:

  • Apply TLS 1.3 to your default ATS domain device data endpoint using the AWS Console
  • Apply TLS 1.3 to your AWS-managed domain configurable endpoint using the AWS Console
  • Apply TLS 1.3 to your default ATS domain device data endpoint using the AWS CLI
  • Apply TLS 1.3 to your AWS-managed domain configurable endpoint using the AWS CLI

Prerequisites

AWS IoT Core permissions to:

  • describe-endpoint
  • list-domain-configurations
  • describe-domain-configuration
  • update-domain-configuration

AWS CLI 2.11.17 or greater, configured for your local terminal, AWS account, and for your region

Apply TLS 1.3 to your default ATS domain device data plane endpoint using the AWS Console

Step 1: Update your ATS data plane endpoint

  1. Open the AWS IoT console
  2. In the menu, select Settings
  3. In Device data endpoint, select the Security Policy in the dropdown
Figure 2: Device data endpoint - Select Security Policy

Figure 2: Device data endpoint – Select Security Policy

The selection you make in the dropdown automatically saves to the Device data endpoint.

Apply TLS 1.3 to your AWS-managed domain configurable endpoint using the AWS Console

Step 1: Create a domain configuration

  1. Open the AWS IoT console
  2. In the menu, select Settings
  3. Click Create domain configuration
  4. Enter Domain configuration name
  5. In Custom domain settings panel select Security Policy in the dropdown
  6. Click Create domain configuration to save the new configuration
Figure 3: Create domain configuration with TLS1.3 only

Figure 3: Create domain configuration with TLS1.3 only

View new Domain configuration in main settings panel.

Figure 4: Saved domain configuration

Figure 4: Saved domain configuration

Apply TLS 1.3 to your default ATS domain device data plane endpoint using the AWS CLI

Step 1: Retrieve your default device data endpoint using the AWS CLI.

aws iot describe-endpoint --endpoint-type iot:Data-ATS

This returns an endpoint address to apply your TLS configuration to.

{ 
    "endpointAddress": "your_specificendpointxxxx-ats.iot.us-west-2.amazonaws.com"
}

Step 2: Check the current TLS configuration for your default device data endpoint.

aws iot describe-domain-configuration --domain-configuration-name "iot:Data-ATS"

This returns the current endpoint configuration details including the security policy TLS version:

{    
    "domainConfigurationName": "iot:Data-ATS",     
    "domainConfigurationArn": "arn:aws:iot:us-west-2:AWSACCOUNTID:domainconfiguration/iot:Data-ATS",
    "domainName": "your_specific_endpointxxxx-ats.us-west-2.iot.amazonaws.com",
    "serverCertificates": [],     
    "domainConfigurationStatus": "ENABLED",
    "serviceType": "DATA",
    "domainType": "ENDPOINT",     
    "lastStatusChangeDate": "2023-03-16T17:57:59.194000+08:00",
    "tlsConfig": {
         "securityPolicy": "IoTSecurityPolicy_TLS12_1_2_2022_10" 
    }
 }

In this example, the Security Policy value shows a TLS 1.2 only policy. This is the case for endpoints that existed before the release of the TLS 1.3 feature. All new endpoints default to TLS 1.2 and above. You can choose to upgrade older endpoints to TLS 1.2+1.3 (which allows the server and device to choose the highest possible) or enforce TLS 1.3 only (which would end in an unsuccessful TLS handshake if the device is unable to accept TLS 1.3).

Step 3: To update your endpoint configuration to TLS 1.2+1.3 enter the following

aws iot update-domain-configuration --domain-configuration-name "iot:Data-ATS" --tls-config securityPolicy="IoTSecurityPolicy_TLS13_1_2_2022_10"

Step 4: To test your endpoint TLS version compatibility

curl https://your_specific_endpointxxxx-ats.us-west-2.iot.amazonaws.com --insecure --verbose --tlsv1.2 --tls-max 1.3

This returns a successful handshake at the highest level available (TLS 1.3) if configured correctly, including output similar to this:

........ 
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256 
.......

Apply TLS 1.3 to your AWS-managed domain configurable endpoint using the AWS CLI

If you use an AWS-managed or custom domain for a set of your devices, you can also set the endpoint configuration for that domain configurable endpoint. Repeat the steps above, replacing domain-configuration-name “iot:Data-ATS” with your custom domain configuration name. For Fully-Qualified Domain name (FQDN) endpoints, make sure you use the FQDN endpoint URL. See Creating and Configuring AWS-managed domains and Creating and configuring custom domains.

aws iot update-domain-configuration --domain-configuration-name "foobar" --tls-config securityPolicy="IoTSecurityPolicy_TLS13_1_2_2022_10"

Conclusion

In this blog we introduced the benefits of TLS 1.3 and how it is integrated into AWS IoT Core. We then walked you through the process of configuring the TLS version for the different types of data endpoints and domains. TLS security policies enable users to configure the desired TLS version for the default ATS data plane endpoint, but also for the user’s configurable endpoints and custom domains.

To get started with connecting your TLS 1.2 and 1.3 devices to AWS IoT Core, please consult the developer guide or watch “TLS security policies for AWS IoT Core”.

To learn more about AWS IoT services and solutions, please visit AWS IoT or contact us.

About the Authors

Greg BreenGreg Breen is a Senior IoT Specialist Solutions Architect at Amazon Web Services. Based in Australia, he helps customers throughout Asia Pacific to build their IoT solutions. With deep experience in embedded systems, he has a particular interest in assisting product development teams to bring their devices to market.
Jen O'HehirJen O’Hehir is a Senior Solutions Architect at Amazon Web Services. With a strong background in Mining in Western Australia, Jen enjoys helping customers new to AWS build innovative and operationally optimized cloud and hybrid solutions. She has a passion for liberating OT Data to empower data driven operational decisions and operating model improvements.