AWS re:Inforce 2024
Cloud Upgrade Modern Tls Encryption for All Aws Service Connections Dap304

Title: AWS re:Inforce 2024 - Cloud upgrade: Modern TLS encryption for all AWS service connections (DAP304)

Insights:

  • Session Overview: The session focused on upgrading AWS service connections using modern Transport Layer Security (TLS) protocols, specifically requiring a minimum of TLS 1.2 and enabling TLS 1.3.
  • Key Participants: Janelle Hopper (Principal Technical Program Manager, AWS Security), Stephen Colison (Senior Software Development Engineer, EC2 Load Balancing Team), and Mark Ryland (Director, AWS Security).
  • Importance of TLS: TLS is crucial for securing connections to AWS service endpoints, impacting all API calls, including those to S3, Kinesis, and EC2.
  • Deprecation of TLS 1.0 and 1.1: AWS has removed support for TLS 1.0 and 1.1 due to known vulnerabilities, despite having mitigations in place. This change simplifies audits and aligns with compliance standards.
  • Global Rollout: The upgrade to TLS 1.2 or higher was a nearly two-year effort, affecting over 9,000 service public API endpoints and 200 global services. AWS detected 185,000 accounts using outdated TLS versions and notified them to update.
  • Performance Improvements with TLS 1.3: TLS 1.3 reduces the number of network round trips required for a handshake, improving connection performance, especially over long network links.
  • Compatibility Challenges: AWS faced challenges due to the heterogeneity of clients connecting to their endpoints. They used a phased rollout and monitoring to ensure compatibility and minimize disruptions.
  • Monitoring and Rollback: AWS implemented advanced monitoring techniques to detect issues during the rollout and used rollback and sidelining strategies to address compatibility problems without affecting all clients.
  • Future of TLS and Post-Quantum Cryptography: AWS is preparing for the future with post-quantum cryptography and the adoption of HTTP/3 and QUIC to further enhance security and performance.

Quotes:

  • "We raise the security bar, reduce complexity, and simplify your audits."
  • "We rolled this out gradually on a server-by-server basis, doing this almost nearly two years."
  • "TLS 1.3 improves this by collapsing those two operations into one by having the client choose a key exchange algorithm it thinks the server will support ahead of time."
  • "Our TLS 1.2 implementations and configurations are still hardened against known attacks."
  • "We meticulously locked down this data with various security controls to ensure we maintain data privacy."
  • "One exciting note I think is per our recent testing, it appears that we are the first major cloud provider to successfully remove these outdated TLS protocols."
  • "We found that this is an issue because if there's an issue for a small subset of clients, their failure rate may not meaningfully change the overall success rate into our multi-tenant endpoints."
  • "Our approach, whether we were rolling back or sidelining, was to reach out to customers and we have our corpus of client-side risks that we used to give customers actions to update their clients."
  • "By adding TLS 1.3 support to our endpoints, it's really raising the security ceiling."
  • "The expectation and hope is that you can solve all kinds of new challenges that are, for example, in especially things like modeling nature, right? Physics and chemistry."
  • "If we don't start working on this problem now, by the time the risk becomes real, it'll be too late because of the difficulty of upgrading all our systems."
  • "We've learned a lot of lessons about things like sidelining and how to do this at scale and so we can apply those same learnings in this case."
Cloud Security Reimagined the Generative Ai Advantage Aps221 SConfidence in Cloud Security One Step Ahead of Cyber Threats Tdr222 S