Configuring TLS settings in domain configurations (original) (raw)
AWS IoT Core provides predefined security polices for you to customize your Transport Layer Security (TLS) settings for TLS 1.2 and TLS 1.3 in domain configurations. A security policy is a combination of TLS protocols and their ciphers that determine the supported protocols and ciphers during TLS negotiations between a client and a server. With the supported security policies, you can manage your devices' TLS settings with more flexibility, apply the most up-to-date security measures when connecting new devices, and maintain consistent TLS configurations for existing devices.
The following table describes the security policies, their TLS versions, and supported regions:
| Security policy name | Supported AWS Regions |
|---|---|
| IoTSecurityPolicy_TLS13_1_3_2022_10 | All AWS Regions |
| IoTSecurityPolicy_TLS13_1_2_2022_10 | All AWS Regions |
| IoTSecurityPolicy_TLS12_1_2_2022_10 | All AWS Regions |
| IoTSecurityPolicy_TLS12_1_0_2016_01 | ap-east-1, ap-northeast-2, ap-south-1, ap-southeast-2, ca-central-1, cn-north-1, cn-northwest-1, eu-north-1, eu-west-2, eu-west-3, me-south-1, sa-east-1, us-east-2, us-west-1 |
| IoTSecurityPolicy_TLS12_1_0_2015_01 | ap-northeast-1, ap-southeast-1, eu-central-1, eu-west-1, us-east-1, us-west-2 |
The names of the security policies in AWS IoT Core include version information based on the year and month that they were released. If you create a new domain configuration, the security policy will default to IoTSecurityPolicy_TLS13_1_2_2022_10. For a complete table of security policies with details of protocols, TCP ports, and ciphers, seeSecurity polices. AWS IoT Core doesn't support custom security policies. For more information, see Transport security in AWS IoT Core.
To configure TLS settings in domain configurations, you can use the AWS IoT console or the AWS CLI.
Contents
- Configure TLS settings in domain configurations (console)
- Configure TLS settings in domain configurations (CLI)
Configure TLS settings in domain configurations (console)
To configure TLS settings using the AWS IoT console
- Sign in to the AWS Management Console and open the AWS IoT console.
- To configure TLS settings when you create a new domain configuration, follow these steps.
- In the left navigation pane, chooseSettings, and then, from theDomain configurations section, chooseCreate domain configuration.
- In the Create domain configuration page, in the Custom domain settings - optional section, choose a security policy from Select security policy.
- Follow the widget and complete the rest of the steps. ChooseCreate domain configuration.
- To update TLS settings in an existing domain configuration, follow these steps.
- In the left navigation pane, chooseSettings, and then, underDomain configurations, choose a domain configuration.
- In the Domain configuration details page, choose Edit. Then, in the Custom domain settings - optional section, underSelect security policy, choose a security policy.
- Choose Update domain configuration.
For more information, see Create a domain configuration and Manage domain configurations.
Configure TLS settings in domain configurations (CLI)
You can use the create-domain-configuration and update-domain-configuration CLI commands to configure your TLS settings in domain configurations.
- To specify TLS settings using the create-domain-configuration CLI command:
aws iot create-domain-configuration \
--domain-configuration-name domainConfigurationName \
--tls-config securityPolicy=IoTSecurityPolicy_TLS13_1_2_2022_10 The output of this command can look like the following:
{
"domainConfigurationName": "test",
"domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/test/34ga9"
} If you create a new domain configuration without specifying the security policy, the value will default to:IoTSecurityPolicy_TLS13_1_2_2022_10.
2. To describe TLS settings using the describe-domain-configuration CLI command:
aws iot describe-domain-configuration \
--domain-configuration-name domainConfigurationName This command can return the domain configuration details that include the TLS settings like the following:
{
"tlsConfig": {
"securityPolicy": "IoTSecurityPolicy_TLS13_1_2_2022_10"
},
"domainConfigurationStatus": "ENABLED",
"serviceType": "DATA",
"domainType": "AWS_MANAGED",
"domainName": "d1234567890abcdefghij-ats.iot.us-west-2.amazonaws.com",
"serverCertificates": [],
"lastStatusChangeDate": 1678750928.997,
"domainConfigurationName": "test",
"domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/test/34ga9"
} - To update TLS settings using the update-domain-configuration CLI command:
aws iot update-domain-configuration \
--domain-configuration-name domainConfigurationName \
--tls-config securityPolicy=IoTSecurityPolicy_TLS13_1_2_2022_10 The output of this command can look like the following:
{
"domainConfigurationName": "test",
"domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/test/34ga9"
} - To update the TLS settings for your ATS endpoint, run the update-domain-configuration CLI command. The domain configuration name for your ATS endpoint is
iot:Data-ATS.
aws iot update-domain-configuration \
--domain-configuration-name "iot:Data-ATS" \
--tls-config securityPolicy=IoTSecurityPolicy_TLS13_1_2_2022_10 The output of the command can look like the following:
{
"domainConfigurationName": "iot:Data-ATS",
"domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/iot:Data-ATS"
} For more information, see CreateDomainConfiguration and UpdateDomainConfiguration in the AWS API Reference.