By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Transfer Acceleration + older TLS versions

0

I am getting email notifications about "TLS 1.0 or TLS 1.1 connections to Amazon Simple Storage Service (Amazon S3) objects hosted in your account" for the upcoming June 28, 2023 change to remove older TLS versions.

If I use S3 Transfer Acceleration, will this allow access to my S3 buckets to customers who do not use TLS 1.2 or higher?

This link says Amazon CloudFront allows the use of older TLS versions, so am I correct in thinking that Transfer Acceleration (which uses CloudFront) will also allow the use of older TLS versions?

EDIT: I'm getting email notifications for REST.GET.OBJECT calls with old TLS versions.

I'm looking for clarity on whether Amazon S3 Transfer Acceleration will behave like the S3 bucket (requiring TLS 1.2 after June 23, 2023), or if it will behave like CloudFront (which allows TLS 1.0).

Here is a copy of the email, for reference.

Subject: [ACTION REQUIRED] Update your S3 object access to maintain connectivity [AWS Account: redacted]

We are reaching out because there are TLS 1.0 or TLS 1.1 connections to Amazon Simple Storage Service (Amazon S3) objects hosted in your account. As AWS is updating the TLS configuration for all AWS API endpoints to a minimum of version TLS 1.2 [1], you must take action as soon as possible for these connections to maintain their access to your S3 objects.

What actions can I take to maintain access? To avoid potential interruption, you must update all client software accessing your Amazon S3 objects using TLS 1.0 or 1.1, to use TLS 1.2 or higher. If you are unable or would prefer to not update all impacted clients, we recommend replacing direct client access to the S3 objects with use of a proxy, such as an Amazon CloudFront distribution. This will allow clients to access your S3 objects via Amazon CloudFront using any TLS version you choose to allow. Amazon CloudFront will forward the calls to your S3 objects using TLS 1.2 or higher. For more guidance for how to setup your CloudFront distribution to front your S3 object access, please review this > Knowledge Center article [2].

How can I determine the client(s) I need to update? We have provided the affected S3 bucket(s) in your account following this messaging. In order to gather additional information about the affected objects and user agents performing these calls, we recommend enabling Amazon CloudTrail data events on the affected S3 bucket(s) [3] [4]. The information contained in the S3 data events will help you pinpoint your client software that is responsible for using TLS 1.0 or TLS 1.1, so you may update it accordingly. Additionally, our related AWS Security blog post [1] provides information on how you may use TLS information in the CloudTrail tlsDetails field. Please note there is an associated cost for enabling CloudTrail data events, please see the CloudTrail pricing page for more detail [5]. Another alternative is to use Amazon S3 server-access logs, see the S3 Logging options page for more details and pricing information [6].

How can I enforce connections to my bucket(s) be over TLSv1.2 and above? As a best practice, and to prepare for our enforcement of TLS 1.2 or higher, we recommend you proactively enforce a minimum of TLS 1.2 directly on all of your shared S3 bucket(s). You may do this by applying a bucket policy with the s3:TlsVersion condition key as documented in this Knowledge Center article [7]

If you need further guidance or assistance, please contact AWS Support [8] or your Technical Account Manager.

[1] https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints

[2] https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-old-tls/

[3] https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking

[4] https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html#enable-cloudtrail-events

[5] https://aws.amazon.com/cloudtrail/pricing/

[6] https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html

[7] https://aws.amazon.com/premiumsupport/knowledge-center/s3-enforce-modern-tls/

[8] https://aws.amazon.com/support

Please see the following for S3 buckets in which object-level calls were made over TLS 1.0 or TLS 1.1 connections between April 24, 2023 and May 05, 2023 (the UserAgent may be truncated due to a limit in the number of characters that can be displayed):

Connections details will be in the following format:

Region | Bucket name(s) | APIAction | TLSVersion | NumCalls | UserAgent

us-east-1 | [redacted] | REST.GET.OBJECT | TLSv1 | 47693 | [redacted]

[...]

Topics
StorageNetworking & Content DeliveryInternet of Things (IoT)
Tags
Amazon Simple Storage ServiceAmazon CloudFrontTransport Layer Security (TLS)S3 Transfer Acceleration
Language
English
sonny
asked 2 years ago755 views
2 Answers
2
Accepted Answer

According to AWS Support, it should work.

I have an update from the internal S3 team : The internal team has confirmed that you can use S3 Transfer Acceleration Endpoint to allow HTTPS traffic to your S3 bucket from TLS versions that are earlier than 1.2 - TLS versions (1.0 or 1.1). [...]

More specifically, internal team has stated that CloudFront still supports HTTPS traffic with TLS version below TLS 1.2 and therefore can be used to continue allowing users connect to your S3 bucket using older TLS versions (below TLS 1.2). Moreover since S3 Transfer Acceleration uses the globally distributed edge locations in Amazon CloudFront, thus S3 Transfer Acceleration will also allow use of older TLS versions.

We will know for sure on June 28, 2023 but this is consistent with my testing so far.

https://repost.aws/knowledge-center/s3-enforce-modern-tls

I followed the instructions there to enforce TLS 1.2, and I found that once I enforced TLS 1.2 on my bucket, TLS 1.0 connections to that bucket were rejected. However, the S3 Transfer Acceleration connections continued to accept TLS 1.0.

Bucket Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceTLSv12orHigher",
      "Principal": {
        "AWS": "*"
      },
      "Action": ["s3:*"],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "NumericLessThan": {
          "s3:TlsVersion": 1.2
        }
      }
    }
  ]
}
sonny
answered 2 years ago
profile picture
EXPERT
Oleksii Bebych
reviewed 9 months ago
1

The document you presented is about supporting TLS 1.2 or later for API calls to AWS.
In other words, APIs used for AWS operations, such as "list bucket" are applicable.

CloudFront can use TLS 1.0 as shown in the table in the following document.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html

profile picture
EXPERT
Riku_Kobayashi
answered 2 years ago
profile picture
EXPERT
Oleksii Bebych
reviewed 9 months ago
  • sonny
    2 years ago

    It also applies to REST.GET.OBJECT calls.

    I'm looking for clarity on whether Amazon S3 Transfer Acceleration will behave like the S3 bucket (requiring TLS 1.2 after June 23, 2023), or if it will behave like CloudFront (which allows TLS 1.0).

    I updated my question with a copy of the email, for reference.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content