September 22, 2023

AWS recently announced that TLS 1.2 is going to become the minimum protocol level for API endpoints. The cloud provider will remove backward compatibility and support for versions 1.0 and 1.1 on all APIs and regions by June 2023.


According to AWS, 95% of AWS customers are already using more recent cryptographic protocols and the most common use today of TLS 1.0 or 1.1 are .NET Framework versions earlier than 4.6.2.

Using the recently added tlsDetails field, AWS CloudTrail logs can be monitored to identify if the outdated TLS versions are currently used. AWS recommends parsing the records with CloudTrail Lake, CloudWatch Log Insights or Athena.

CloudWatch Log Insights has two new sample queries that can be used to find log entries where TLS 1.0 or 1.1 was used and find the number of calls per service that used outdated TLS versions.

AWS CLI version 2 already enforces TLS 1.2, the version that is already required for all AWS FIPS endpoints. AWS warns that while most customers still using TLS 1.0 or 1.1 will be notified, not every scenario can be detected by the cloud provider.


To minimize the availability impact of requiring TLS 1.2, AWS is rolling out the changes on an endpoint-by-endpoint basis over the next months. After June 28, 2023, AWS will update the endpoint configuration, even if customers still have connections using older versions.

Leave a Reply

%d bloggers like this: