AWS Security Blog
Over 70 services require TLS 1.2 minimum for AWS FIPS endpoints
March 18, 2021: This post was originally published in February 2021. Since then, the number of services that require a TLS minimum of 1.2 has grown from over 40 to over 70. We’ve updated this post accordingly.
In a March 2020 blog post, we told you about work Amazon Web Services (AWS) was undertaking to update all of our AWS Federal Information Processing Standard (FIPS) endpoints to a minimum of Transport Layer Security (TLS) 1.2 across all AWS Regions. Today, we’re happy to announce that over 70 services have been updated and now require TLS 1.2:
- Amazon AppStream 2.0
- Amazon Athena
- Amazon API Gateway
- Amazon CloudFront
- Amazon CloudWatch Events
- Amazon Cognito
- Amazon Comprehend
- Amazon Comprehend Medical
- Amazon Connect
- Amazon EC2 Image Builder
- Amazon Elastic Block Store (Amazon EBS) direct APIs
- Amazon Elastic Container Service (Amazon ECS)
- Amazon Elastic Kubernetes Service (Amazon EKS)
- Amazon EMR
- Amazon FSx
- Amazon GuardDuty
- Amazon Inspector
- Amazon Kinesis Data Firehose
- Amazon Lex
- Amazon Macie
- Amazon MQ
- Amazon Pinpoint
- Amazon Polly
- Amazon QuickSight
- Amazon Redshift
- Amazon Rekognition
- Amazon SageMaker
- Amazon Simple Workflow Service (Amazon SWF)
- Amazon Textract
- Amazon Transcribe
- Amazon Translate
- Amazon Workdocs
- AWS Backup
- AWS Batch
- AWS Certificate Manager (ACM)
- AWS Certificate Manager Private Certificate Authority (PCA)
- AWS Cloud Map
- AWS CodeBuild
- AWS CodeDeploy
- AWS CodePipeline
- AWS Database Migration Service (AWS DMS)
- AWS DataSync
- AWS Direct Connect
- AWS Directory Service
- AWS Elastic Beanstalk
- AWS Elemental MediaConvert
- AWS Elemental MediaLive
- AWS Firewall Manager
- AWS Glue
- AWS Ground Station
- AWS Health
- AWS Identity and Access Management (IAM) Access Analyzer
- AWS IoT Greengrass
- AWS Key Management Service (AWS KMS)
- AWS Lake Formation
- AWS Lambda
- AWS License Manager
- AWS OpsWorks
- AWS Outposts
- AWS Resource Groups
- AWS Secrets Manager
- AWS Security Hub
- AWS Serverless Application Repository
- AWS Service Catalog
- AWS Shield
- AWS Snow Family
- AWS Step Functions
- AWS Storage Gateway
- AWS Support
- AWS Transfer Family
- AWS WAF
These services no longer support using TLS 1.0 or TLS 1.1 on their FIPS endpoints. To help you meet your compliance needs, we are updating all AWS FIPS endpoints to a minimum of TLS 1.2 across all Regions. We will continue to update our services to support only TLS 1.2 or later on AWS FIPS endpoints, which you can check on the AWS FIPS webpage. This change doesn’t affect non-FIPS AWS endpoints.
When you make a connection from your client application to an AWS service endpoint, the client provides its TLS minimum and TLS maximum versions. The AWS service endpoint will always select the maximum version offered.
What is TLS?
TLS is a cryptographic protocol designed to provide secure communication across a computer network. API calls to AWS services are secured using TLS.
What is FIPS 140-2?
The FIPS 140-2 is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information.
What are AWS FIPS endpoints?
All AWS services offer TLS 1.2 encrypted endpoints that can be used for all API calls. Some AWS services also offer FIPS 140-2 endpoints for customers who need to use FIPS validated cryptographic libraries to connect to AWS services.
Why are we upgrading to TLS 1.2?
Our upgrade to TLS 1.2 across all Regions reflects our ongoing commitment to help customers meet their compliance needs.
Is there more assistance available to help verify or update client applications?
If you’re using an AWS software development kit (AWS SDK), you can find information about how to properly configure the minimum and maximum TLS versions for your clients in the following AWS SDK topics:
- AWS SDK for .NET: AWS .NET SDK for supporting TLS 1.2 or AWS SDK for .NET repository on GitHub.
- AWS SDK for PHP: AWS PHP SDK for supporting TLS 1.2
- AWS SDK for Python (Boto3): AWS Python SDK for supporting TLS 1.2
- AWS Command Line Interface (AWS CLI) for Python: AWS Python CLI for supporting TLS 1.2
- AWS SDK for Go: AWS Go SDK for supporting TLS 1.2
- AWS SDK for C++: AWS C++ SDK for supporting TLS 1.2
- AWS SDK for Ruby: AWS Ruby SDK for supporting TLS 1.2
- AWS SDK for Java 2.x: AWS Java v2 SDK for supporting TLS 1.2
- AWS SDK for Java 1.x: AWS Java v1 SDK for supporting TLS 1.2
You can also visit Tools to Build on AWS and browse by programming language to find the relevant SDK. AWS Support tiers cover development and production issues for AWS products and services, along with other key stack components. AWS Support doesn’t include code development for client applications.
If you have any questions or issues, you can start a new thread on one of the AWS forums, or contact AWS Support or your technical account manager (TAM).
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.