To respond to evolving technology and regulatory standards for Transport Layer Security (TLS), we will be updating the TLS configuration for all AWS service API endpoints to a minimum of version TLS 1.2. We have also added a reference to our new blog post announcing efforts to enable TLS 1.3.Īpril 25, 2023: We’ve updated this blog post to include more security learning resources.Īpril 5, 2023: This post was updated with new references to add the newly recorded Our AWS Supports You | Updating Your Clients to TLS 1.2 session, we added an option for S3 customers to use the Amazon S3 server-access logs to analyze if they are at risk, and lastly we added a link to the AWS Pricing page for further information on associated costs that may be incurred to identify your use of outdated TLS.Īt Amazon Web Services (AWS), we continuously innovate to deliver you a cloud computing environment that works to help meet the requirements of the most security-sensitive organizations. May 23, 2023: This post was revised to indicate that we are continuing to gradually update AWS API endpoints to TLS 1.2 minimum policies between now and December 31, 2023. To avoid a disruption to your AWS workloads, you must update all of your TLS 1.0/ 1.1 software clients no later than 06/28/23. REQUIRE: The Security plugin only accepts REST requests when a valid client TLS certificate is sent.įor the REST management API, the client authentication modes has to be OPTIONAL at a minimum.June 1, 2023: This blog post has been updated to add a timeline to clarify the key dates.OPTIONAL: The Security plugin accepts TLS client certificates if they are sent, but does not require them.NONE: The Security plugin does not accept TLS client certificates.TLS client authentication has three modes: Providing identity information for tools like OpenSearch Dashboards, Logstash, or Beats.Configuring roles and permissions based on a client certificate.Providing an admin certificate when using the REST management API.There are three main usage scenarios for TLS client authentication: With TLS client authentication enabled, REST clients can send a TLS certificate with the HTTP request to provide identity information to the Security plugin. Only works if hostname verification is also enabled. Whether to resolve hostnames against DNS on the transport layer. Whether to verify hostnames on the transport layer. Keep in mind that the Security plugin supports wildcards and regular expressions: All DNs must be included in opensearch.yml on all nodes. The simplest way to configure node certificates is to list the Distinguished Names (DNs) of these certificates in opensearch.yml. It uses node certificates to secure these requests. OpenSearch Security needs to identify requests between the nodes in the cluster. Path to the truststore file, which must be under the config directory, specified using a relative path. The type of the truststore file, JKS or PKCS12/PFX. Path to the keystore file, which must be under the config directory, specified using a relative path. The type of the keystore file, JKS or PKCS12/PFX. If you want, you can use different keystore and truststore files for the REST and the transport layer. The following settings configure the location and password of your keystore and truststore files. For the Security plugin to operate, you need certificates and private keys. Required.Īs an alternative to certificates and private keys in PEM format, you can instead use keystore and truststore files in JKS or PKCS12/PFX format. Path to the root CAs (PEM format), which must be under the config directory, specified using a relative path. Path to the X.509 node certificate chain (PEM format), which must be under the config directory, specified using a relative path. Omit this setting if the key has no password. Path to the certificate’s key file (PKCS #8), which must be under the config directory, specified using a relative path.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |