Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Trying to find the source of TLS 1.0 connection prior to AWS stopping support.

0

It looks like we still have something connecting using TLS 1.0; I set up Cloudtrail logging and went through them according to the guidance from:

[1] https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints [2] https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-old-tls/ [3] https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking [4] https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html#enable-cloudtrail-events

But the result I got is somewhat puzzling; the userIdentity.arn is for our root account, and the rest of it is:

eventSource":"s3.amazonaws.com","eventName":"ListObjects","awsRegion":"us-east-1","tlsversion":"TLSv1","ciphersuite":"AES128-SHA","userAgent":"[aws-sdk-java/1.1.9 Linux/2.6.32-431.11.2.el6.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/20.1-b02]","numOutdatedTlsCalls":"516"}

So it looks like it's just listing s3 objects in the bucket, but there is no associated IP, so it's not coming from an EC2 system. Anyone have any thoughts as to how we can get a better idea what this is?

Topics
Security, Identity, & ComplianceStorage
Tags
Security, Identity, & ComplianceAmazon Simple Storage Service
Language
English
asked 3 years ago1K views
3 Answers
0

This article covers the changes and how to find the sources of TLS 1.0 and 1.1 connections.

https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/

AWS
EXPERT
answered 3 years ago
  • Patrick
    3 years ago

    That article's suggestions are in part how I got to what I posted above; in fact, it's one of the four I mentioned using in my question. There isn't really any guidance as to how to interpret the results I found.

0

By enabling CloudTrail logging for the S3 bucket, and enabling CloudWatch for the trail, you should start to see ListObject events by searching the associated log group using the CloudWatch console. I just ran a test where I did the following:

  1. Enable Server access logging for the S3 bucket
  2. Create a new CloudTrail trail for S3 Data Events (and enable CloudWatch logs)
  3. Use CloudWatch / Log Groups to search log streams for ListObject log events

I used the AWS CLI to execute test ls events, and was able to find those events logged that include the sourceIPAddress field.

More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-understanding-s3-entries.html#example-ct-log-s3

AWS
answered 3 years ago
  • Patrick
    3 years ago

    I see the ListObject events, they just don't seem to have an IP associated with them.

0

You can also try to isolate the process by adding a bucket policy that denies the ListObject action based on the user agent string.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket-name",
            "Condition": {
                "StringLike": {
                    "aws:UserAgent": "*aws-sdk-java/1.1.9*"
                }
            }
        }
    ]
}

When searching for Access Denied events in CloudWatch logs, note that AWS Console will also has aws-sdk-java in the user agent string, so will have to search for more than that to find events related only to the unknown Java app. The policy will cause the app to fail which may help identify it, though runs the risk of disrupting a production workload.

AWS
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content