By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to update my S3 object to TLS 1.2 or higher

0

I am currently using AWS CLI with php to save images inside a s3 bucket. I received an email from amazon telling me to update my TLS version.

I have no idea what to do. Is it something that I have to do regarding my s3 buckets information? What are the steps to update the TLS version?

Or maybe it is something regarding my php code?

Thank you and please help!

Topics
StorageManagement & GovernanceInternet of Things (IoT)
Tags
Amazon Simple Storage ServiceAWS Command Line InterfaceTransport Layer Security (TLS)
Language
English
Franco Maldonado
asked a year ago4045 views
3 Answers
1

Amazon S3 now support TLS 1.2. You can enforce using a recent TLS version(TLS 1.2 or higher) when the viewer access content that’s stored in your S3 buckets by using a resource-based policy attached to your bucket. Please review the article below to follow the steps to update the policy attached to the S3 Bucket-https://repost.aws/knowledge-center/s3-enforce-modern-tls

AWS
Nirali Deliwala
answered a year ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed a year ago
0

Hello,

Few options:

  1. Enforce the bucket policy to use tls1.2 as Nirali highlighted above. This will prevent the workload to access S3 but will ensure S3 accepts TLS 1.2 minimum.
  2. You should upgrade your environment and its dependencies (the OS, the AWS CLI, the PHP version if required) to ensure they support TLS 1.2. It seems you are calling the CLI from PHP though wanted to highlight we also have a SDK for PHP. See guidance on how to upgrade the AWS SDK for PHP: https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_configuration.html#http-handler
  3. For CLI guidance, you can refer to this documentation on how to enforce TLS 1.2, see https://docs.aws.amazon.com/cli/latest/userguide/cli-security-enforcing-tls.html.

Hope it helps, Jon

profile pictureAWS
EXPERT
Jonathan_D
answered a year ago
0

You can enforce using TLS 1.2 or higher for all connections to your S3 buckets by using a resource-based policy attached to your bucket.

To set a bucket policy that requires TLS versions 1.2 or higher:

Go to the S3 console. Select the bucket from the list. Navigate to the Permissions tab. Under Bucket Policy, select Edit. Add a policy to deny access to the encryption protocols that you want to prevent. For example, use the following policy to deny all HTTPS requests that use TLS versions lower than 1.2:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceTLSv12orHigher", "Principal": { "AWS": "" }, "Action": ["s3:"], "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", "arn:aws:s3:::DOC-EXAMPLE-BUCKET" ], "Condition": { "NumericLessThan": { "s3:TlsVersion": 1.2 } } } ] }

Confirm that you are using modern encryption protocols for S3 To test your new policy, use the following example curl command to make HTTPS requests using a specific legacy protocol: curl https://${BUCKET_NAME}.s3.us-east-1.amazonaws.com/image.png -v --tlsv1.0 --tls-max 1.0

The example curl command returns Access Denied as Amazon S3 detects your request is not using TLS 1.2 or higher.

AWS
Hemant Chugh
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content