SSM Cloudwatch Agent Plugin requires TLS 1.0

Question

On an EC2 instance running Windows Server 2016  
  
I used this tool to update the cipher suite:  
https://www.nartac.com/Products/IISCrypto/Default.aspx  
  
In the CLIENT protocols, I only allow TLS 1.1 or TLS 1.2; that is, I disable outbound TLS 1.0 connections.  After rebooting the server for the change to take effect, I start seeing the following error:  
  
C:\ProgramData\Amazon\SSM\Logs\amazon-ssm-cloudwatch.log  
  
2019-10-10 19:54:21,432 WARN  aws:cloudWatch - Call CloudWatch API failed when uploading metric data, retrying. A WebException with status ReceiveFailure was thrown.  
  
If I re-enable TLS 1.0, then the agent starts working again.  
  
We need to be able to disable TLS 1.0 as part of our cybersecurity review.  
  
I believe the underlying problem is that the AWS.Cloudwatch.exe plugin is using an old version of the .NET framework that does not support newer TLS protocols by default. The fix would be either to upgrade to a more recent version of .NET or to explicitly include new TLS support as described here:  
  
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls  
  
Edited by: lakers on Oct 10, 2019 2:13 PM

Accepted Answer

Ran into this as well after locking down the client portion of SCHANNEL. I was able to keep TLSv1.0 disabled in schannel and set the supportedRuntime version for AWS.CloudWatch.exe from v2.0.50727 to v4.6.2. I believe Microsoft began supporting TLSv1.1 in the 4.6 Framework, which is why I landed there. Wanted to take the smallest jump possible.  
  
After restarting the AmazonSSMAgent service, logs started flowing into CloudWatch. Of course, make this change at your own risk! Hopefully Amazon will have an update which takes care of this automatically.  
  
C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.CloudWatch.exe.config

```

.....
```

Edited by: Schizm on Nov 15, 2019 1:28 PM

SSM Cloudwatch Agent Plugin requires TLS 1.0

相關內容