AWS Security Blog

Tag: TLS

AWS Certificate Manager

AWS Certificate Manager will discontinue WHOIS lookup for email-validated certificates

AWS Certificate Manager (ACM) is a managed service that you can use to provision, manage, and deploy public and private TLS certificates for use with Amazon Web Services (AWS) and your internal connected resources. Today, we’re announcing that ACM will be discontinuing the use of WHOIS lookup for validating domain ownership when you request email-validated […]

How to implement client certificate revocation list checks at scale with API Gateway

As you design your Amazon API Gateway applications to rely on mutual certificate authentication (mTLS), you need to consider how your application will verify the revocation status of a client certificate. In your design, you should account for the performance and availability of your verification mechanism to make sure that your application endpoints perform reliably. […]

Faster AWS cloud connections with TLS 1.3

Faster AWS cloud connections with TLS 1.3

January 12, 2024: Over 80% of AWS service API endpoints now support TLS 1.3, along with TLS 1.2. The remaining services are in progress on adding TLS 1.3 globally across AWS Regions and Availability Zones. We will update this post again when these deployments complete. September 13, 2023: Over 65% of AWS service API endpoints […]

Automate the deployment of an NGINX web service using Amazon ECS with TLS offload in CloudHSM

Customers who require private keys for their TLS certificates to be stored in FIPS 140-2 Level 3 certified hardware security modules (HSMs) can use AWS CloudHSM to store their keys for websites hosted in the cloud. In this blog post, we will show you how to automate the deployment of a web application using NGINX […]

AWS Logo

Three ways to boost your email security and brand reputation with AWS

April 11, 2023: This post had been updated to provide clarifications: The recommendation to use SES or WorkMail as part of this solution is for receiving TLS reports sent via email from mail receiving organizations. It is unrelated to the BIMI and MTA-STS aspects or any core functionality of the solution.. If you own a […]

How to evaluate and use ECDSA certificates in AWS Certificate Manager

AWS Certificate Manager (ACM) is a managed service that enables you to provision, manage, and deploy public and private SSL/TLS certificates that you can use to securely encrypt network traffic. You can now use ACM to request Elliptic Curve Digital Signature Algorithm (ECDSA) certificates and associate the certificates with AWS services like Application Load Balancer (ALB) […]

Amazon introduces dynamic intermediate certificate authorities

February 27, 2023: We’ve updated question and answer #3 on this blog post. October 7, 2022: This blog post has been updated to include a Frequently Asked Questions section at the end. September 30, 2022: This blog post has been updated to include the addition of the CN=Starfield Services Root Certificate Authority – G2,O=Starfield Technologies\, […]

How to tune TLS for hybrid post-quantum cryptography with Kyber

January 30, 2024: The API in this blog post has been changed in newer version of the AWS CRT Client. See this page for more info. January 25, 2023: AWS KMS, ACM, Secrets Manager TLS endpoints have been updated to only support NIST’s Round 3 picked KEM, Kyber. s2n-tls and s2n-quic have also been updated […]

TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints

January 17, 2024: Over 96% of AWS service API endpoints have ended support for TLS versions 1.0 and 1.1. Over the next six weeks, the remaining services will complete updates to their TLS configuration to require a minimum of TLS version 1.2. We will update this post again when the changes are globally complete across […]

How to use ACM Private CA for enabling mTLS in AWS App Mesh

Securing east-west traffic in service meshes, such as AWS App Mesh, by using mutual Transport Layer Security (mTLS) adds an additional layer of defense beyond perimeter control. mTLS adds bidirectional peer-to-peer authentication on top of the one-way authentication in normal TLS. This is done by adding a client-side certificate during the TLS handshake, through which […]