By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Multiple recent AWS emails about TLS1.1 or older

0

Hi All. I have had multiple emails recently from AWS with subject line “[ACTION REQUIRED] - Update your TLS connections to 1.2 to maintain AWS endpoint connectivity [AWS Account: 090759423501]”. The key part of the email seems to be

.....................

Please see the following for further details on the TLS 1.0 or TLS 1.1 connections detected from your account between February 25, 2023 and March 13, 2023 (the UserAgent may be truncated due to a limit in the number of characters that can be displayed):

Region | Endpoint | API Event Name | TLS Version | Connection Count | UserAgent eu-west-1 | dynamodb.eu-west-1.amazonaws.com | DescribeTable | TLSv1 | 324 | aws-sdk-dotnet-45/3.3.1.0 aws-sdk-dotnet-core/3.3.5.0 .NET_Runtime/4.0 .NET_Framework/4.0 OS/Microsoft_Windows_NT_10.0.14393.0 ClientSync Docu

............................

However, my reading of that is that it is a system call from a .net runtime and I’m not really sure what I can do about this.

Your assistance would be appreciated. I typically use AWS resources in two ways: a) scheduled or triggered Lambda calls built directly in the AWS interface or b) calls from c# .net programs coded in Visual Studio

I followed some links to literature that the AWS account manager gave me which suggested

  1. Use the Cloud Trail section of CloudWatch to find log entries where TLS 1.0 or 1.1 was used - I tried this but could find no matching records when I ran the query
  2. Check the general account health dashboard - I did this but no problems are reported there.

Can anyone suggest a course of action here? Thanks Richard Abbott

Topics
ServerlessComputeManagement & Governance.NET on AWS
Tags
AWS LambdaAWS CloudTrail.NET on AWS
Language
English
RBA
asked a year ago838 views
1 Answer
0

Hello Richard,

Thanks for reaching out.

The approach to follow is to use CloudTrail to find an event that uses TLS 1.0 or TLS1.1. You will get additional information such as SourceIp or the PrincipalID. Here is a guidance on how you can use CloudTrail Lake: https://aws.amazon.com/blogs/mt/using-aws-cloudtrail-lake-to-identify-older-tls-connections-to-aws-service-endpoints/. You can use the pre-defined queries there to catch the TLS 1.0/1.1 events.

If this does not return any result, this could mean the workload is stopped or the issue was resolved. Your account manager can reach out internally as well for us to assist with more information so we can check more information for you.

For this specific entry without more details than this finding, you should follow Microsoft guidance to enable TLS 1.2 at the OS level and upgrade .Net dependencies. Please find below a few links that will share lights on this:

Hope it helps,

Jon

profile pictureAWS
EXPERT
Jonathan_D
answered a year ago
  • RBA
    a year ago

    Thanks for your reply Jon. I went through the Cloud Trail process and unless I did something absurdly wrong could find no old TLS events in the last year. But another of the [Action Required] emails came through yesterday so something is sill not right. The other tutorials seem to cover only old versions of Windows - I am using Win 11 Pro - and I couldn't see how to apply the principles. So for the moment at least I can't see how to make progress with this. I'll see if I can make contact with my account manager as you suggest Richard

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content