[ACTION REQUIRED] - Update your TLS connections to 1.2 to maintain AWS endpoint connectivity [AWS Account: 926257648248]


Hi, We received a ticket that says - We have identified TLS 1.0 or TLS 1.1 connections to AWS APIs from your account [AWS Account: 926257648248] that must be immediately updated to maintain AWS connectivity. Please update your client software as soon as possible to use TLS 1.2 to maintain your ability to connect, and avoid an availability impact.

Can you please suggest the action items here ? I am unable to follow the wikis attached in the ticket.

asked 2 years ago7337 views
4 Answers

If this question is related to the AWS SDK for .NET, there is also additional information in the developer guide: https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/enforcing-tls.html

answered 2 years ago

Please check the following official AWS blog first. [1]

[1] TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints | AWS Security Blog

The blog explains that the following actions should be taken

・Use CloudTrail to identify clients using TLS 1.0 or 1.1.
・Apply the minimum version of TLS by checking the documentation of the SDKs and other documents in the following blogs [2].

[2] TLS 1.2 to become the minimum for all AWS FIPS endpoints | AWS Security Blog

We do not know which SDKs are used in your environment, so please check the documentation of each SDK according to your environment.

We hope this will be helpful.

profile picture
answered 2 years ago
  • how can update SDK for android? there is not info about SDK for android


how can i update SDK for android? there is not info abou SDK for android

answered 2 years ago
  • you need to rebuild the android app using the latest version of the SDK. ie update the gradle depedency if you are using gradle


When you use AWS resources from SDK, JDK or command line interface (CLI) you make calls to API from AWS, to make this calls a secure protocol is used (TLS), the TLS version is related to the version of the SDK/JDK/CLI used. If you received the notification it means that some software is accesing your account with a rather old version and the action to be taken is to update SDK/JDK/CLI from that software in order to upgrade TLS version to 1.2. This software can be something you developed by you organization, a third partie developed software or a SaaS you use that integrates with AWS, i.e. backup solutions, SIEM ingesting your logs.

In this related blog post you find guidance for two actions you can take:

a. Understand what resources are afected, that info you can look at the Personal Health Dashboard for our account (login to your account and then look for Persoal Health Dashboard.

b. Find what calls are using TLS older than 1.2 using CloudTrail logs, this logs will provide with some information like credentials beings used, IP and library used. That usually is a clue to find what program is involved in the calls to API.

I might also add to check IAM Access Analyzer to find out access from other accounts or federated users accesing your account and reviewing the credential report as it is likely and old SDK/JDK/CLI use might be related to a user that has not rotated passwords or access keys.

Update: If notice is related to Cloudfront accesing S3 Origin, you can check this documentation and select TLS 1.2 for origin access protocol.

Hope this answers clarifies path for action.

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions