Using AWS CloudTrail Lake to identify older TLS connections to AWS service endpoints
To comply with regulatory standards and follow security best practices, organizations have told us that they want to ensure they have disabled older versions of Transport Layer Security (TLS), such as TLS 1.0 and 1.1, and only use modern TLS 1.2 and 1.3.
When connecting to AWS API endpoints, your client software negotiates its preferred TLS version, and AWS will always select the highest mutually agreed upon version. This means that you have control over the TLS version used. However, it can be challenging for customers to identify their usage of older TLS versions, so they can update to use TLS 1.2 or above.
We are providing mechanisms to help identify if you have any client software using the older TLS 1.0, 1.1 protocols. For example, the tlsDetails field within the record contents of a CloudTrail event is present for many services and will be added to the remaining services in the coming months. In this post, we’ll review how AWS CloudTrail Lake makes it easier to query all of the AWS CloudTrail management events and leverage the tlsDetails field to identify connections to AWS service endpoints below TLS 1.2 and 1.3.
Enabling AWS CloudTrail Lake
AWS CloudTrail Lake lets you write queries using SQL based syntax on your CloudTrail data. CloudTrail Lake can be configured to store all events across all accounts within an AWS Organization, including events from multiple regions. Note that CloudTrail Lake ingests CloudTrail event data from the time that the event data store is first configured. Therefore, it doesn’t include previous events. Once enabled, CloudTrail Lake will begin to identify events occurring over older versions of TLS after the event has occurred. To learn more about CloudTrail Lake and how to configure the service, follow this post.
Calls per-service using older TLS versions
To help customers identify older versions of TLS connections to AWS service API endpoints, we’ve developed two queries for use with CloudTrail Lake:
- Sample query in the CloudTrail Lake “Count calls per-service that were made using outdated TLS versions” This will find the number of calls per-service that used older TLS versions 1.0 and 1.1 in a specified date range.
- Custom SQL Query for granular view.
Follow these steps to conduct a sample query.
- Navigate to the CloudTrail console. In the left-hand navigation menu, choose Lake and Create event data store if it isn’t already created.
- Select the Sample queries tab and select the hyperlink for the sample query, “Count calls per-service that were made using outdated TLS versions” as shown in Figure 1: Sample query.
Figure 1: Sample query
- The CloudTrail Lake Editor will be opened, and the SQL query will be populated. Alter the timeframes as necessary by altering the eventTime > ‘2022-04-14 00:00:00’ AND eventTime < ‘2022-04-20 00:00:00’ statement, and select Run
Figure 2: Sample Query in CloudTrail Lake Editor
- The command output should show “Successful”. Select the Query Results tab to see the breakdown of calls as seen in Figure 3: Query Results.
Figure 3: Query Results
Custom SQL query for granular view
Organizations may sometimes require a more granular view for the specific calls occurring in their environments that use an older version of TLS. The following steps provide more granular views.
- Navigate to the CloudTrail console. In the left-hand navigation menu, choose Lake as shown in Figure 1 to enable CloudTrail Lake and Create event data stores.
- Select the Editor tab, and copy and paste the SQL Query syntax into the editor as shown in Figure 4: To Run SQL Query for granular view in CloudTrail Lake Editor.
SELECT userIdentity.accountId, recipientAccountId, userIdentity.arn, eventSource, eventName, awsRegion, tlsDetails.tlsVersion, tlsDetails.cipherSuite, userAgent, COUNT(* ) AS numOutdatedTlsCalls FROM $EDS_ID WHERE tlsDetails.tlsVersion IN ('TLSv1', 'TLSv1.1' ) AND eventTime > '2022-04-19 00:00:00' AND eventTime < '2022-04-30 00:00:00' GROUP BY userIdentity.accountId, recipientAccountId, userIdentity.arn, eventSource, eventName, awsRegion, tlsDetails.tlsVersion, tlsDetails.cipherSuite, userAgent ORDER BY eventSource, eventName, tlsVersion
Figure 4: To Run SQL Query for granular view in CloudTrail Lake Editor
- Alter the eventTime as needed in the SQL Query editor, and select Run.
- The command output should show “Successful”. Select the Query Results tab to see the breakdown of calls as seen in Figure 5: Query Results with Granular view.
Figure 5: Query Results with Granular view
Now you have visibility into the specific calls being made to AWS service endpoints using older versions of TLS. After the older versions of TLS are identified, you may follow the appropriate steps depending on the SDK, tool, or OS to configure the system for TLS 1.2 or 1.3.
What does the information in the CloudTrail Lake queries mean?
Customers may use the data presented in the query results to identify users, roles, user-agents, IP addresses, etc., that are making calls to AWS service endpoints using older versions of TLS. This helps customers pinpoint the applications that are making these older calls and update them accordingly. In some situations, the connections may be made using the AWS Software Development Kit (AWS SDK), in which case customers may reference the AWS SDK’s documentation that contains information about how to properly configure a client’s minimum and maximum TLS versions. Depending on the OS, tool, or environment being published in the CloudTrail events, customers can review its documentation to update accordingly. More information on options to assist customers with updating their TLS versions for their AWS service endpoint connections can be found in this post
To clean up the CloudTrail Lake environment that you’ve created, you can delete the event data store.
- Select the event data store within the AWS console, select the actions menu, and change the termination protection to “Disabled”.
- Then, select the actions menu again and delete the event data store. The Event Data Store will enter a pending deletion mode in which you can’t run queries on it, or perform any operations on it except restore. After seven days, an event data store that’s pending deletion is permanently deleted, along with all of the associated data.
In this post, we discussed how organizations may utilize CloudTrail Lake to identify connections to AWS service endpoints within their environment that occur over older versions of TLS.