Initial Publication Date: 2020/03/31 11:15AM PDT
AWS is updating all AWS Federal Information Processing Standard (FIPS) endpoints to a minimum Transport Layer Security (TLS) version of 1.2 across all AWS Regions by March 31, 2021. This update will revoke the ability to use TLS 1.0 and TLS 1.1 on all FIPS endpoints. No other AWS endpoints will be affected by this change.
When connecting to an AWS service endpoint, your client provides its TLS minimum and TLS maximum version. The AWS service endpoint selects the maximum version offered.
What do I need to do?
Confirm that all of your client applications support TLS 1.2, ensuring it is encapsulated between the minimum and the maximum versions. We encourage you to act now to avoid any impact to your availability and to protect the integrity of your data in transit. Additionally, we recommend that you perform these steps in a test or staging environment before completing these steps in a production environment.
If you are using an AWS Software Development Kit (AWS SDK), you can find information about how to properly configure your client's minimum and maximum TLS versions on the following topics in the AWS SDK documentation:
- AWS SDK for .NET
- AWS SDK for C++
- AWS SDK for Go
- AWS SDK for Java v1
- AWS SDK for Java v2
- AWS SDK for PHP
- AWS SDK for Python
- AWS SDK for Ruby
Or see Tools to Build on AWS, where you can browse by programming language to find the relevant SDK.
When are these changes occurring?
To minimize the impact to our customers who use TLS 1.0 and TLS 1.1, we are rolling out the changes on a service-by-service basis between now and the end of March 2021.
We will detect and validate customer connections to AWS FIPS endpoints. After a 30-day period during which no connections are detected, we will deploy a configuration change to remove support for them. After March 31, 2021, we may update the endpoint configuration to remove TLS 1.0 and 1.1, even if we detect customer connections. We will provide additional updates and reminders on the AWS Security Blog, with a ‘ TLS’ tag.
What are AWS FIPS endpoints?
All AWS services offer Transport Layer Security (TLS) 1.2 encrypted endpoints that can be used for all API calls. Some AWS services also offer FIPS 140-2 endpoints for customers that require use of FIPS validated cryptographic libraries.
What is Transport Layer Security (TLS)?
Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication across a computer network. API calls to AWS services are secured using TLS.
How can I get additional assistance to verify or update my client application?
If you have any questions or issues, please contact AWS Support or your Technical Account Manager (TAM). The AWS Technical Support tiers cover development and production issues for AWS products and services, along with other key stack components. AWS Support does not include code development for client applications.
Customers also may use AWS IQ to find and securely work with AWS Certified third-party experts for on-demand project work. Visit the AWS IQ page for information about how you can submit your request, get responses from experts, and choose the expert with the skills and experience you require. You can log into your console and select Get Started with AWS IQ to start your request.