By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSM Cloudwatch Agent Plugin requires TLS 1.0

0

On an EC2 instance running Windows Server 2016

I used this tool to update the cipher suite:
https://www.nartac.com/Products/IISCrypto/Default.aspx

In the CLIENT protocols, I only allow TLS 1.1 or TLS 1.2; that is, I disable outbound TLS 1.0 connections. After rebooting the server for the change to take effect, I start seeing the following error:

C:\ProgramData\Amazon\SSM\Logs\amazon-ssm-cloudwatch.log

2019-10-10 19:54:21,432 WARN aws:cloudWatch - Call CloudWatch API failed when uploading metric data, retrying. A WebException with status ReceiveFailure was thrown.

If I re-enable TLS 1.0, then the agent starts working again.

We need to be able to disable TLS 1.0 as part of our cybersecurity review.

I believe the underlying problem is that the AWS.Cloudwatch.exe plugin is using an old version of the .NET framework that does not support newer TLS protocols by default. The fix would be either to upgrade to a more recent version of .NET or to explicitly include new TLS support as described here:

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

Edited by: lakers on Oct 10, 2019 2:13 PM

Topics
Management & Governance
Tags
Amazon CloudWatch
Language
English
lakers
asked 5 years ago986 views
1 Answer
0
Accepted Answer

Ran into this as well after locking down the client portion of SCHANNEL. I was able to keep TLSv1.0 disabled in schannel and set the supportedRuntime version for AWS.CloudWatch.exe from v2.0.50727 to v4.6.2. I believe Microsoft began supporting TLSv1.1 in the 4.6 Framework, which is why I landed there. Wanted to take the smallest jump possible.

After restarting the AmazonSSMAgent service, logs started flowing into CloudWatch. Of course, make this change at your own risk! Hopefully Amazon will have an update which takes care of this automatically.

C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.CloudWatch.exe.config

<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client" />
    <supportedRuntime version="v4.6.2" />
  </startup>
  <runtime>
.....

Edited by: Schizm on Nov 15, 2019 1:28 PM

Schizm
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content