To respond to evolving technology and regulatory standards for Transport Layer Security (TLS), we will be updating the TLS configuration for Amazon Web Services API endpoints of all services to a minimum of version TLS 1.2. This update means you will no longer be able to use TLS versions 1.0 and TLS versions 1.1 with all Amazon Web Services APIs in Amazon Web Services China Regions by June 28, 2023. In this post, we will tell you how to check your TLS version, and what to do to prepare.

If you are one of the more than 95% of our customers are already using TLS 1.2 or later, and will not be impacted by this change. You are almost certainly already using TLS 1.2 or later if your client software application was built after 2014 using an Amazon Software Development Kit (Amazon SDK), Amazon Command Line Interface (Amazon CLI), Java Development Kit (JDK) 8 or later, or another modern development environment. Customers still using TLS 1.0 or TLS 1.1 must update your client software to use TLS 1.2 or later to maintain your ability to connect. You will be notified on your Amazon Health Dashboard, and by email.

After June 28, 2023, we will update our API endpoint configuration to remove TLS 1.0 and TLS 1.1, even if you still have connections using these versions. It is important to understand that you already have control over the TLS version used when connecting. When connecting to Amazon Web Services API endpoints, your client software negotiates its preferred TLS version, and we use a high mutually agreed upon version. 

What should you do to prepare for this update?

To minimize your risk, you can self-identify if you have any connections using TLS 1.0 or TLS 1.1. If you find any connections using TLS 1.0 or TLS 1.1, you should update your client software to use TLS 1.2 or later.

Amazon CloudTrail records are especially useful to identify if you are using the outdated TLS versions. You can now search for the TLS version used for your connections by using the recently added tlsDetails field. The tlsDetails structure in each CloudTrail record contains the TLS version, cipher suite, and the client-provided host name used in the service API call, which is typically the fully qualified domain name (FQDN) of the service endpoint. You can then use the data in the records to help you pinpoint your client software that is responsible for the TLS 1.0 or TLS 1.1 call, and update it accordingly.

We recommend you use one of the following options for running your CloudTrail TLS queries:

• Amazon CloudWatch Log Insights: There are two built-in CloudWatch Log Insights sample CloudTrail TLS queries that you can use, as shown in Figure 1.

• Amazon Athena: You can query Amazon CloudTrail logs in Amazon Athena, and in November 2022 we added support for querying the TLS values in your CloudTrail logs.

In addition to using CloudTrail data, you can also identify the TLS version used by your connections by performing code, network, or log analysis 

How can I update the TLS version used by my software client?

We encourage you to be proactive in order to avoid an impact to availability. Also, we recommend that you test configuration changes in a staging environment before you introduce them into production workloads. Customers using an Amazon Software Development Kit (Amazon SDK) can find information about how to properly configure their client’s minimum and maximum TLS versions on the following topics in the Amazon SDKs:

• Amazon SDK for .NET: Amazon .NET SDK for enforcing a minimum TLS version or Amazon SDK for .NET repository on GitHub.
• Amazon SDK for PHP SDK: Amazon PHP SDK for enforcing a minimum TLS version
• Amazon SDK for Python (Boto Documentation): Amazon Python SDK for enforcing a minimum TLS version
• Amazon CLI: Amazon CLI for enforcing a minimum TLS version using Python
• Amazon SDK for C++: Amazon C++ SDK for enforcing a minimum TLS version
• Amazon SDK for Ruby: Amazon Ruby SDK for enforcing a minimum TLS version
• Amazon SDK for JavaScript v3: Amazon SDK for JavaScript v3 for enforcing a minimum TLS version
• Amazon SDK for Java v2: Amazon Java v2 SDK for enforcing a minimum TLS version
• Amazon SDK for Java v1: Amazon Java v1 SDK for enforcing a minimum TLS version
• Amazon SDK for JavaScript: Amazon JavaScript SDK for enforcing a minimum TLS version
  

Will I be notified if I am using TLS 1.0 or TLS 1.1?

If we detect that you are using TLS 1.0 or TLS 1.1, you will be notified on your Amazon Health Dashboard, and you will receive email notifications. However, you will not receive a notification for connections you make anonymously to Amazon Web Services shared resources, such as a public Amazon Simple Storage Service (Amazon S3) bucket, because we cannot identify anonymous connections. Furthermore, while we will make every effort to identify and notify every customer, there is a possibility that we may not detect infrequent connections, such as those that occur less than monthly.

Is there more assistance available to help verify or update my client software?

If you have any questions or issues, you can contact Amazon Web Services Support or your Technical Account Manager (TAM).